Re: "PenTest" a container file

From: Benjamin Anderson (hawklan@iastate.edu)
Date: Thu Jan 18 2007 - 20:00:29 EST

• Next message: ranebshekhar@yahoo.com: "Apache Concurrent Users"
• Previous message: tom jones: "Automated Nmap Scans / Front End"
• In reply to: Julien: ""PenTest" a container file"
• Next in thread: Thor (Hammer of God): "Re: "PenTest" a container file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I consider the fact they are using a private encryption type as a
giant red flag for the system. There is no reason to use a
proprietary system when there are many free algorithms that have been
thoroughly examined by the crypto community. The security of any
crypto-system should exist solely in knowledge of the key and not
rely on the secrecy of the algorithm.

That said, failing at cracking the system doesn't prove anything. If
I used a slight modification of DES the odds of cracking it in a few
weeks without knowledge of the algorithm is pretty slim. However,
once the algorithm is released or discovered, it could be cracked in
hours. If you don't have the application that reads or writes from
the container, finding the algorithm probably isn't possible in any
reasonable time, unless you use some social engineering to get it
from the company.

Knowing that they enter a password doesn't provide any real
information, as the "password" could simply be the hex-digits
representing an actual key. Of course a key would have to be entered
to decrypt the container file. It might also use a "regular"
password and use a hash of that to generate the key used, but it
still doesn't matter unless it is limited in some way like using 8
characters or less. In general, I think you would want to locate the
key in RAM when it is in use, or check if it ended up in swap space.
Unless, of course, they actually store the password for some reason.

If you just have the container file and not the app and any
associated files, I don't think there is much chance of cracking it,
unless they used something horrible like ROT13. I think a better
test would be seeing if using it on a system leaves any data that
could be exploited to handle a stolen laptop type of scenario.

I don't think I helped at all, but good luck with it.

Benjamin Anderson
Ph.D. Student
Iowa State University

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: ranebshekhar@yahoo.com: "Apache Concurrent Users"
• Previous message: tom jones: "Automated Nmap Scans / Front End"
• In reply to: Julien: ""PenTest" a container file"
• Next in thread: Thor (Hammer of God): "Re: "PenTest" a container file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:32 EDT