From: Peter Kosinar (goober@ksp.sk)
Date: Wed Apr 26 2006 - 22:05:44 EDT
Hello,
> When I repeated it often enough. I got this pattern.
> a=707
> aa=7073e
> aaa=7073e45
> aaaa=7073e455b
A very short analysis suggests that the encryption is a salted bijection
(= no hash) and it looks incredibly simple and easy-to-break. So far, this
is only a conjecture based on very small amount of data but I doubt there
will be some special quirks employed by the encryption algorithm.
Unfortunately, the small amount of input data also means that there are a
few questions left unanswered.
The general idea of the encryption is as follows:
It starts by choosing a random number ('salt') S, probably from the
interval 0-15 (the only observed values so far have been from the interval
0-10). The salt (represented as a hexadecimal digit) is the first
character of the encrypted password. Then, the function processes the
password byte-by-byte and encrypts each of them by XOR-ing them with a
fixed key, starting at position S. Each byte is then represented as
two-digit hexadecimal number. Nothing more, nothing less...
Mathematically, C[i] = P[i] ^ K[S+i], where C is the ciphertest, P[i] is
the plaintext and K is the _fixed_ key, which does not depend on the
input.
It's not clear whether the key is cyclic and if it is, what is its period.
So far, only first 12 characters of the key could have been recovered (it
is acually possible that the key is only 11 bytes long because K[0] =
K[11]). In order to find that out, it might be a good idea to try to
encrypt a password consisting of 17 a's.
The following short C program demonstrates how simple the decryption is --
just try to feed it with the encrypted password and observe the result
[it's based on the unverified assumption that the fixed key is 11 bytes
long]
------
#include <stdio.h>
int key[11] =
{ 0x21, 0x76, 0xe4, 0x39, 0x22, 0x32, 0xa7, 0x66, 0x5f, 0x24, 0x3a };
int main() {
int k, c;
for (scanf("%1x", &k); scanf("%02x", &c) == 1; k++)
putchar(c^key[k%11]);
putchar('\n');
return 0;
}
------
Peter
-- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278 ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:53 EDT