Re: NSRG-Security SaS Encryption cracked

["Paul Tinsley" <tinsleyphone () hotmail com>]

> On Wed, 15 Oct 2003 01:55:10 CDT, Paul Tinsley <pdt () jackhammer org>  said:
> > >     full-disclosure it inspired me to audit a few websites myself.  I 
> started
> >     with the author of all the IMHO frivolous postings and found that he
> >     "encrypted" his website with something called SaS that his group 
> wrote.
> > Since the transmitted HTML needs to be (eventually) interpreted as HTML, 
> there
> are only two basic options:
>
> 1) Settle for mere obfuscation and a snippet of reverse-engineerable 
> Javascript
> or similar that decodes the obfuscated input to HTML that the browser will
> accept.
>
> 2) Use a public-key or shared-secret system wherein each client gets a
> potentially different version of the page (note that this includes the case 
> of
> an HTTP authentication failing and giving you an error page).
>
> Again, to repeat - without some sort of per-client unique key, all you can 
> do
> is obfuscate, and said obfuscation has to be done in a programmable 
> reversible
> way to be at all useful.

I 100% agree with you.  I tried to make it apparent that I didn't agree with 
the term encryption as used by Lorenzo by quoting it both in my email and in 
my source code.  I am fully aware that the content has to be interpreted and 
that was half of the reason that I decided to throw that code together last 
night.  I wanted to make the point that it was a pretty fruitless venture.  
Sorry if I didn't convey that very well...

I am lumping this email together as I don't have much time today to deal 
with responses to this:

Lorenzo:
   Quote: "PS: I'm working in a md5 file hash system for pages"
   Response: The wheel currently exists: Tripwire, AIDE, tracker,
             etc...

   Quote:    "But , it's easy to identify the encoding in first view:"
   Response: I am aware of that, but I wasn't sure that you were, you
             use the term encryption both in your comments and in your
             javascript, actually you call it decrypt, but those two
             go hand in hand...

   Quote:    "currently are not available fast methods to encrypt pages in 
real time"
   Response: I was playing with this neat technology the other day called
             SSL that seems to do the trick pretty nicely.  I even 
discovered that
	      most browsers come with support for it by default!  It even takes it 
one
              step further and the stuff you send from the client to the server is
              encrypted as well.

   Quote:    "I think yo toke the exploit/perl script from a developers 
site because SaS is using an standard of encoding"
   Response:   If you really want to know I just "ported" your "decryption"
	      (note the quotes!) algorithm to perl and wrote a few regular 
expressions
	      to pull out the parts I needed.  This should be obvious by the use of 
the
	      SAME exact variables in most places, except a few thrown in for my 
own
              enjoyment, ex: @special_sauce.

   Quote:    "as you see it's not encryption , so , you didn't cracked 
nothing....  you decoded it !"
   Response: Were you to pay attention to the code or the name of the file, 
you would realize
             that the pieces I created DO refer to decoding not decrypting.

P.S. - Sorry about formatting/spelling errors, I am reduced to hotmail due 
to fsck errors on my mail server which is in a lights out data center.  Ok 
back to rebuilding the replacement mail server...

_________________________________________________________________
Concerned that messages may bounce because your Hotmail account has exceeded 
its 2MB storage limit? Get Hotmail Extra Storage!         
http://join.msn.com/?PAGE=features/es

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html