Full Disclosure mailing list archives

Re: Cipher detection

From: Tim <tim-security () sentinelchicken org>
Date: Thu, 7 Apr 2011 10:02:37 -0700

I'm trying to figure out what kind of cipher was used in this:

GGobQ2bsqd64PXVAmaDiDBg=

Looks like Base64, but it's not. The original string is:

dummy () example com

Thanks all!



As Thor mentioned, since the ciphertext is not a multiple of a common
block cipher's block size (8 or 16 bytes), then an XOR might be in
use.  This points to either a block cipher in CFB, OFB, or similar
modes, or a stream cipher (RC4?), or some hack someone put together
that involves XORing some secret with the email address.

Your next step should be to have several different plaintexts
encrypted, then XOR away the plaintext from the ciphertext to get your
keystream for each.  If you see duplication across key streams, then
you might be looking at a bad hack or use of a cipher which reuses the
same IV for each email address, which is also a big no-no.

HTH,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Cipher detection Maksim . Filenko (Apr 07)
- Re: Cipher detection Thor (Hammer of God) (Apr 07)
  - Re: Cipher detection Cal Leeming (Apr 07)
    - Re: Cipher detection ichib0d crane (Apr 08)
- Re: Cipher detection Tim (Apr 07)
- Re: Cipher detection Valdis . Kletnieks (Apr 07)
- Message not available
  - Re: Cipher detection Maksim . Filenko (Apr 08)
    - Re: Cipher detection Tim (Apr 08)
    - Re: Cipher detection Brandon Enright (Apr 08)