Bugtraq mailing list archives
InterNIC Shenanigans (crypt-pw)
From: hamors () litterbox org (Sean B. Hamor)
Date: Fri, 11 Oct 1996 12:21:50 -0400
-----BEGIN PGP SIGNED MESSAGE----- Well, the InterNIC has started protecting against fakemailed domain name and NIC handle changes by adding "crypt-pw" and PGP support to their databases. For those of you not familiar with this, you can now request that your email address not be used to authenticate you, but instead add a crypted string or PGP key id to your domain/NIC template to authenticate you. You have to submit your PGP public key block to the InterNIC keyserver if you've chosen to use the PGP option. Regardless, it seems that there may be a hiccup in the InterNIC's method of generating crypted strings. I admit, I'm not very knowledgeable when it comes to encryption schemes, but even I can see an initial problem here. Because of my lack of knowledge, however, I wouldn't be able to continue any further to see how deep this initial discovery I made runs. If you don't want to use the entire WWW domain/NIC template, you can use http://rs.internic.net/guardian/crypt-pw.html to generate a crypted passwd for you. Basically, you type in your cleartext passwd, hit submit, and it fires back the crypted version at you. Here are some cleartext/ciphertext combinations: nuke nuX9097V9o/TY narque naXwgSS98Q3xo cq cqjtFeb2JgXwg 222222 22Yrs645sLqh2 Is it just me, or does it seem silly to you that the first two characters of the passwd are revealed by the first two characters in the crypted passwd? A quote from the crypt-pw.html page: "Please note that this option is not as secure as PGP. We recommend the use of PGP when possible." Go figure. Just my 00000010 sense... Finger hamors () ishiboo com /\_/\ mailto:hamors () litterbox org for PGP public key block. ( o.o ) http://www.ishiboo.com/~hamors/ alt.litterbox, The Home of TOCA > ^ < http://www.litterbox.org/~hamors/ Hi! I'm a .signature virus! Add me to your .signature and join in the fun! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMl50JjU6HlxZIJ+FAQGeGgf+NOuQRbTdWz1nxovYsZ324Ij/fxAzQ643 dVwf8yc1HNfNTw0zZlpz47EVaNQ5w6yrISXHmmSQ6UT+E2tnCOnK6dpaTamNO941 HiADrWMQz+OvHrNM/z4BZPPQlJrWZJ3Jbak88S1fboDoNKqb4tLhS//3I7oFURiB 2Dnxy0W8oge4rJhoP+XEIsW+CdyFZrYxy2TpwEGfYxybm7I890TA5u43XEEA+QLQ Mm7AQXcNlcaYpH33Pavr964c1q68aRWvCXgnH4f9aSkRzjvYancVDpBIRZAbZM2Y 4XAsJ6yLhoHmrP6PaZQ7Xj7ChmIEfE8P0FNWdVqGAypRG8+/tymc+Q== =jyAN -----END PGP SIGNATURE-----
Current thread:
- antizap2. Digital Dreamer (Oct 08)
- Re: antizap2. Wolfgang Ley (Oct 09)
- novell utility BlackHeart (Oct 09)
- Re: novell utility Bruce M. (Oct 09)
- Re: novell utility Doctor Who (Oct 10)
- Sun Security Bulletin #136 Mark Graff (Oct 10)
- SECURITY HOLE IN AUTHENTICATION FORWARDING Charles M. Hannum (Oct 10)
- Re: SECURITY HOLE IN AUTHENTICATION FORWARDING Tatu Ylonen (Oct 13)
- InterNIC Shenanigans (crypt-pw) Sean B. Hamor (Oct 11)
- Re: InterNIC Shenanigans (crypt-pw) Yiorgos Adamopoulos (Oct 11)
- Re: InterNIC Shenanigans (crypt-pw) Igor Chudov @ home (Oct 11)
- Re: InterNIC Shenanigans (crypt-pw) Steve Reid (Oct 12)
- Re: InterNIC Shenanigans (crypt-pw) Rogue Agent (Oct 12)
- Excellent host SYN-attack fix for BSD hosts Avi Freedman (Oct 11)
- Re: Excellent host SYN-attack fix for BSD hosts Ollivier Robert (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts Casper Dik (Oct 16)
- Re: Excellent host SYN-attack fix for BSD hosts David Schwartz (Oct 16)