Re: RE: Password secured using?

[Peter Kosinar <goober () ksp sk>]

Hello,

> When I repeated it often enough. I got this pattern.
> a=707
> aa=7073e
> aaa=7073e45
> aaaa=7073e455b

A very short analysis suggests that the encryption is a salted bijection 
(= no hash) and it looks incredibly simple and easy-to-break. So far, this 
is only a conjecture based on very small amount of data but I doubt there 
will be some special quirks employed by the encryption algorithm. 
Unfortunately, the small amount of input data also means that there are a 
few questions left unanswered.

The general idea of the encryption is as follows:

It starts by choosing a random number ('salt') S, probably from the 
interval 0-15 (the only observed values so far have been from the interval 
0-10). The salt (represented as a hexadecimal digit) is the first 
character of the encrypted password. Then, the function processes the 
password byte-by-byte and encrypts each of them by XOR-ing them with a 
fixed key, starting at position S. Each byte is then represented as 
two-digit hexadecimal number. Nothing more, nothing less...

Mathematically, C[i] = P[i] ^ K[S+i], where C is the ciphertest, P[i] is 
the plaintext and K is the _fixed_ key, which does not depend on the 
input.

It's not clear whether the key is cyclic and if it is, what is its period. 
So far, only first 12 characters of the key could have been recovered (it 
is acually possible that the key is only 11 bytes long because K[0] = 
K[11]). In order to find that out, it might be a good idea to try to 
encrypt a password consisting of 17 a's.

The following short C program demonstrates how simple the decryption is -- 
just try to feed it with the encrypted password and observe the result 
[it's based on the unverified assumption that the fixed key is 11 bytes 
long]

------
#include <stdio.h>

int key[11] =
{ 0x21, 0x76, 0xe4, 0x39, 0x22, 0x32, 0xa7, 0x66, 0x5f, 0x24, 0x3a };

int main() {
  int k, c;
  for (scanf("%1x", &k); scanf("%02x", &c) == 1; k++)
    putchar(c^key[k%11]);
  putchar('\n');
  return 0;
}
------

Peter

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------