Re: Cracking simple password encryption

[Gilles DEMARTY <gilles.demarty () gmail com>]

I am trying to figure out the password encryption scheme
2005/12/22, David Hogue <davehogue () gmail com>:
> password        crypted
> a               aQ==
> b               cg==
> c               ew==
> aa              aWo=
> ab              aXE=
> cc              e3g=
> aaa             aWpq
> aab             aWpx
> abb             aXFx
> bbb             cnFx

No XORs over there. :

first digit of crypted text is only dependant of the first char of clear.
second digit of crypted text is dependant of the two first char of the clear.
third digit of crypted text is dependant only of the last two
fourth digit of crypted text is dependant only of the last one.

the first question comming to my mind is can there be more than 3
digits in the clear password or can you encode longer passwords ?
the second is : can you encrypt your own password (obtain more
clear-crypted pairs), or is these the only sample you can obtain and
you have been asked to cryptanalyze it (i.e break the code) ?

Since the 4 digits of crypted text are independant, you can try to
break the easier form :
see these equations as 1 or 2 variables function.
first sample :
a = a
b = c
c = e

second sample :
(where & means nil, nothing)
a,& = 'Q'
b,&= 'g'
c,& = 'w'
a,a = 'W'
a,b = 'X'
b,b = 'n'
c,c = '3'

third sample :
&,& = '='
a,& = o
b,& = E
c,& = g
a,a = p
a,b = p
b,b = F
(looks like this one is only dependant of the presence of a third
digit, but not the value => to be validated, something like : if
second var is not null : then result += 1 ).

fourth sample :
& = '='
a = q
b = x

and then concatenate everything;

If you can generate you own passwords, then try to make every possible
combinaison, (first  and last samples : a 256 chars mapping, or more
exactly 62 if you take only alphanumerics combinaison. the two middle
one : 3969 possibilities).

Of course, these conclusion are only from what you have provided, and
may be not true with more samples;

and as for the reverse function == obtain clear text from the crypted
one (as it may be what you're interessed in).



my 2 cents
hope it helps;


> Thanks,
> David
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------