Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110405000617.GA16081@openwall.com>
Date: Tue, 5 Apr 2011 04:06:17 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: Using DES_bs

On Mon, Apr 04, 2011 at 06:27:57PM -0500, Daniel Beard wrote:
> Okay I have one last question just so I'm clear. Does DES_bs encrypt a key
> to a DES hash or attempt to decrypt a DES hash to find a key candidate?

Neither, and this is not specific to the implementation.

Assuming that we're talking about the DES-based crypt(3), it applies DES
as follows.  The password is used as the DES encryption key.  The data
to be encrypted is 0 (a 64-bit block of all zero bits).  25 iterations
of salt-modified DES are used to encrypt this block.  The resulting
"encrypted" block is used as a hash of the password.

Thus, in DES terms, the key is not being encrypted.

What John does is:

1. For each DES-based hash loaded for cracking, the ASCII encoding is
reversed and the DES final permutation is undone.

2. For each candidate password, it is setup as a DES key, and 25
iterations of salt-modified DES are used to encrypt the all-zeroes block.
Then, without doing final permutation, the result is compared against
hashes loaded for cracking (and pre-processed as described above).

Thus, the initial and final permutations of DES are not performed in the
main cracking loop at all.  First, there's no point in permuting the 64
zero bits.  Then, each iteration's final permutation would be reversed
by the next iteration's initial permutation.  Finally, the final
iteration's final permutation is undone at loading of the hashes.

With a bitslice implementation, we actually produce a large number of
password hashes at once (for different candidate passwords), and usually
we compare them against the hashes loaded for cracking indirectly
(either with the logarithmic time algorithm in DES_bs_cmp_all() or with
hash table lookups, where we use partial hashes as indices).

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.