Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <BLU0-SMTP178468A34C4C1FF78131FDBFD3F0@phx.gbl>
Date: Fri, 28 Dec 2012 19:17:43 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Formats dmg, encfs and strip crash on longer passwords

On 12/28/2012 06:21 PM, Dhiru Kholia wrote:
> The problem is in the pbkdf2 code I borrowed from Lukas ;)
> 
> The following patch (which is sure to be wrong!) avoids the crash.
> 
> diff --git a/src/encfs-pbkdf2.h b/src/encfs-pbkdf2.h
> index 0cb0f4a..9a5ae17 100644
> --- a/src/encfs-pbkdf2.h
> +++ b/src/encfs-pbkdf2.h
> @@ -282,7 +282,7 @@ void preproc(const uint8_t * key, uint32_t keylen,
>  {
>         int i;
>         uint32_t W[16], temp;
> -       uint8_t ipad[20];
> +       uint8_t ipad[32];
>         uint32_t A = INIT_A;
>         uint32_t B = INIT_B;
>         uint32_t C = INIT_C;

Yes, this doesn't look like a correct fix, given the
context. It just avoids the crash.
Can you get real hashes for passwords with a length > 20?
Without a valid test case, it is hard to tell what needs to be done if
longer passwords occur.

BTW: This only "fixes" encfs, since dmg and strip include keychain.h
instead.

> The same problem exists in formats using same or similar pbkdf2 code.

keychain.h and encfs-pbkdf2.h are quite similar.
I think we should aim to move all reusable code out of these 2 files
into a separate file.

> What should be the max password length (which actually works) for
> formats using your pbkdf2 code?. Can it be increased?

The more interesting question is: what is the maximum password length
supported by the software which creates/uses these hashes?

Then we can decide how to adjust these formats:
-Mac OS X Keychain PBKDF2-HMAC-SHA-1 3DES
-Apple DMG PBKDF2-HMAC-SHA-1 3DES / AES
-STRIP Password Manager PBKDF2-SHA1
-EncFS PBKDF2 AES / Blowfish
-1Password Agile Keychain PBKDF2-HMAC-SHA-1 AES
-Kerberos 5 AS-REQ Pre-Auth etype 17/18 aes-cts-hmac-sha1-96

For some reason, I didn't find a problem with max. password length for
krb5pa-sha1, even though it claims to support passwords with a length of
up to 125 bytes.

Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.