Penetration Testing mailing list archives
Re: "PenTest" a container file
From: Benjamin Anderson <hawklan () iastate edu>
Date: Thu, 18 Jan 2007 19:00:29 -0600
I consider the fact they are using a private encryption type as a giant red flag for the system. There is no reason to use a proprietary system when there are many free algorithms that have been thoroughly examined by the crypto community. The security of any crypto-system should exist solely in knowledge of the key and not rely on the secrecy of the algorithm.
That said, failing at cracking the system doesn't prove anything. If I used a slight modification of DES the odds of cracking it in a few weeks without knowledge of the algorithm is pretty slim. However, once the algorithm is released or discovered, it could be cracked in hours. If you don't have the application that reads or writes from the container, finding the algorithm probably isn't possible in any reasonable time, unless you use some social engineering to get it from the company.
Knowing that they enter a password doesn't provide any real information, as the "password" could simply be the hex-digits representing an actual key. Of course a key would have to be entered to decrypt the container file. It might also use a "regular" password and use a hash of that to generate the key used, but it still doesn't matter unless it is limited in some way like using 8 characters or less. In general, I think you would want to locate the key in RAM when it is in use, or check if it ended up in swap space. Unless, of course, they actually store the password for some reason.
If you just have the container file and not the app and any associated files, I don't think there is much chance of cracking it, unless they used something horrible like ROT13. I think a better test would be seeing if using it on a system leaves any data that could be exploited to handle a stolen laptop type of scenario.
I don't think I helped at all, but good luck with it. Benjamin Anderson Ph.D. Student Iowa State University ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- "PenTest" a container file Julien (Jan 18)
- Re: "PenTest" a container file Steve Friedl (Jan 18)
- Re: "PenTest" a container file Benjamin Anderson (Jan 18)
- <Possible follow-ups>
- Re: "PenTest" a container file Thor (Hammer of God) (Jan 19)
- Re: "PenTest" a container file Javier Fernández-Sanguino (Jan 29)
- Re: "PenTest" a container file Jan Heisterkamp (Jan 30)
- Re: "PenTest" a container file Javier Fernández-Sanguino (Jan 29)