Figuring out Encryption Used

[chris.biettchert at gmail.com (Chris Biettchert)]

So, the system takes whatever password you supply and creates a 64bit hash
value out of it and then allows you to export that as key material to usb
without any additional protections? In addition, no salting or anything is
taking place? It sounds trivial to generate a rainbow table using the system
as an oracle.

Ask the vendor for the specification on the encryption including what
libraries were used. If they built their own 'military grade' encryption,
look elsewhere. From what you provided, I would be looking elsewhere
already.

Saying all of that, you didn't give a lot of background on the app. Is it
going to be accessible to the public? What are the real threat vectors for
it? What data is the password going to protect? You may find that even if
the app didn't have a password, you can have compensating controls in place
that provide authentication prior to the user having access to the app.

On Wed, Jul 15, 2009 at 4:58 AM, <infolookup at gmail.com> wrote:

> Hi Jim,
>
> Thanks for the reply so far I have noticed the following;
> 1. The minimum clear text password length is six.
> 2. Even when I create a 9/20 characters plain text password, the encrypted
> password/hash is still 8 characters in length.
> 3.I can't automate password creation I have to create a user account then
> assign it a password then chose create USB key file and that's how the
> system exports the password.
>
> Sent from my Verizon Wireless BlackBerry
>
> ------------------------------
> *From*: Jim Halfpenny
> *Date*: Wed, 15 Jul 2009 10:34:00 +0100
> *To*: <infolookup at gmail.com>; PaulDotCom Security Weekly Mailing List<
> pauldotcom at mail.pauldotcom.com>
> *Subject*: Re: [Pauldotcom] Figuring out Encryption Used
> Hi,
> If you do this kind of known plaintext activity then start by generating a
> dictionary mapping passwords to hashes. Start with single characters and
> work up.
>
> Is the length of the crypt the same each time?
> Does the password length affect the length of the crypt?
> Does 'aaa' yield a similar crypt to 'aab'?
> Is there a maximum password length after which the password is truncated
> before being hashed (think Unix crypt)?
>
> At worst you can create a rainbow table for this implementation, assuming
> you can automate password generation.
>
> Jim
>
>
> 2009/7/15 <infolookup at gmail.com>
>
> > Hello All:
> >
> > I am looking for some utilities/framework for testing  encryption schemes,
> > I am testing an application prior to production and I would like to know
> > what steps would one take to reverse the following:
> >
> > Plain text password       Encrypted
> >  abcdef                   +PSTK8+K
> >  123456                   +3fYeUaJ
> >
> >
> > Thanks in advanced!
> > Sent from my Verizon Wireless BlackBerry
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090715/05c95072/attachment.htm