Bugtraq mailing list archives

InterNIC Shenanigans (crypt-pw)

From: hamors () litterbox org (Sean B. Hamor)
Date: Fri, 11 Oct 1996 12:21:50 -0400


-----BEGIN PGP SIGNED MESSAGE-----


Well, the InterNIC has started protecting against fakemailed domain name and
NIC handle changes by adding "crypt-pw" and PGP support to their databases.
For those of you not familiar with this, you can now request that your email
address not be used to authenticate you, but instead add a crypted string or
PGP key id to your domain/NIC template to authenticate you.  You have to
submit your PGP public key block to the InterNIC keyserver if you've chosen
to use the PGP option.

Regardless, it seems that there may be a hiccup in the InterNIC's method of
generating crypted strings.  I admit, I'm not very knowledgeable when it
comes to encryption schemes, but even I can see an initial problem here.
Because of my lack of knowledge, however, I wouldn't be able to continue any
further to see how deep this initial discovery I made runs.

If you don't want to use the entire WWW domain/NIC template, you can use
http://rs.internic.net/guardian/crypt-pw.html to generate a crypted passwd
for you.  Basically, you type in your cleartext passwd, hit submit, and it
fires back the crypted version at you.  Here are some cleartext/ciphertext
combinations:

nuke           nuX9097V9o/TY
narque         naXwgSS98Q3xo
cq             cqjtFeb2JgXwg
222222         22Yrs645sLqh2

Is it just me, or does it seem silly to you that the first two characters of
the passwd are revealed by the first two characters in the crypted passwd?
A quote from the crypt-pw.html page:  "Please note that this option is not
as secure as PGP.  We recommend the use of PGP when possible."  Go figure.

Just my 00000010 sense...

Finger hamors () ishiboo com           /\_/\          mailto:hamors () litterbox org
for PGP public key block.          ( o.o )     http://www.ishiboo.com/~hamors/
alt.litterbox, The Home of TOCA     > ^ <    http://www.litterbox.org/~hamors/
 Hi!  I'm a .signature virus!  Add me to your .signature and join in the fun!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMl50JjU6HlxZIJ+FAQGeGgf+NOuQRbTdWz1nxovYsZ324Ij/fxAzQ643
dVwf8yc1HNfNTw0zZlpz47EVaNQ5w6yrISXHmmSQ6UT+E2tnCOnK6dpaTamNO941
HiADrWMQz+OvHrNM/z4BZPPQlJrWZJ3Jbak88S1fboDoNKqb4tLhS//3I7oFURiB
2Dnxy0W8oge4rJhoP+XEIsW+CdyFZrYxy2TpwEGfYxybm7I890TA5u43XEEA+QLQ
Mm7AQXcNlcaYpH33Pavr964c1q68aRWvCXgnH4f9aSkRzjvYancVDpBIRZAbZM2Y
4XAsJ6yLhoHmrP6PaZQ7Xj7ChmIEfE8P0FNWdVqGAypRG8+/tymc+Q==
=jyAN
-----END PGP SIGNATURE-----

Current thread:

antizap2. Digital Dreamer (Oct 08)
- Re: antizap2. Wolfgang Ley (Oct 09)
- novell utility BlackHeart (Oct 09)
  - Re: novell utility Bruce M. (Oct 09)
  - Re: novell utility Doctor Who (Oct 10)
  - Sun Security Bulletin #136 Mark Graff (Oct 10)
  - SECURITY HOLE IN AUTHENTICATION FORWARDING Charles M. Hannum (Oct 10)
    - Re: SECURITY HOLE IN AUTHENTICATION FORWARDING Tatu Ylonen (Oct 13)
  - InterNIC Shenanigans (crypt-pw) Sean B. Hamor (Oct 11)
    - Re: InterNIC Shenanigans (crypt-pw) Yiorgos Adamopoulos (Oct 11)
    - Re: InterNIC Shenanigans (crypt-pw) Igor Chudov @ home (Oct 11)
    - Re: InterNIC Shenanigans (crypt-pw) Steve Reid (Oct 12)
    - Re: InterNIC Shenanigans (crypt-pw) Rogue Agent (Oct 12)
  - Excellent host SYN-attack fix for BSD hosts Avi Freedman (Oct 11)
    - Re: Excellent host SYN-attack fix for BSD hosts Ollivier Robert (Oct 15)
    - Re: Excellent host SYN-attack fix for BSD hosts Casper Dik (Oct 16)
    - Re: Excellent host SYN-attack fix for BSD hosts David Schwartz (Oct 16)
  - Exploit for 1.2.X (maybe some 1.3.X) kernels Marin Purgar - PMC (Oct 11)