Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110522232757.GB2055@openwall.com>
Date: Mon, 23 May 2011 03:27:57 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: "excessive partial hash collisions detected" for mskrb5

magnum, Dhiru -

On Sun, May 22, 2011 at 11:47:21PM +0200, magnum wrote:
> True, I have no binary_hash() or get_hash() functions. As far as I can 
> tell, there's just no way to implement them for this format. I think you 
> could say it's implemented as "salt only". After crypt_all() I have a 
> partial decrypt of the input, that will contain known plaintext if the 
> key was correct. This means a get_hash() function has no chance of 
> producing anything that a binary_hash() could produce too.

This sounds right.

> If not, maybe there should be a way to tell john that it should not emit 
> that warning for this format (and possibly some others)? Maybe just the 
> fact that I'm also using fmt_default_binary()?

I think we can add a check for zero binary_size to loader.c - and not
print the warning if so.

Your use of fmt_default_binary() does not tell as much.  This function
simply returns the ASCII ciphertext unmodified, which some format could
be using (including in its hash functions).

You could move from decryption (resulting in known plaintext) to
encryption (of the known plaintext), then you could compare
partial ciphertexts and compute hashes of those.  Moreover, you'd get
rid of salts, for a huge speedup (when there's more than one of these
non-hashes to crack).  But this might not be possible in your specific
case (I haven't checked whether it is).  I think it depends on things
such as block cipher mode used (should be possible for ECB, but not for
chaining modes if plaintext for the preceding blocks is not known).

Disclaimer: I haven't yet looked at your code, sorry.  My response is
about issues of this kind in general.  I think it might be relevant to
Dhiru's work as well.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.