Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150822021606.GA8588@openwall.com>
Date: Sat, 22 Aug 2015 05:16:06 +0300
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: testing every index (Re: more robustness)

On Fri, Aug 21, 2015 at 04:37:41PM +0800, Kai Zhao wrote:
> On Mon, Aug 17, 2015 at 9:52 PM, Solar Designer <solar@...nwall.com> wrote:
> > [0] = "AAAAAA"
> > [1] = "wrong password"
> > [2] = "AAAAAAA"
> > [3] = "wrong password"
> > [4] = "CRACKPO"
> > [5] = "wrong password"
> > [6] = "IMPUNIT"
> > [7] = "wrong password"
> > ...
> 
> If we are testing the first hash '$LM$a9c604d244c4e99d', only
> "AAAAAA" is correct, "AAAAAAA", "CRACKPO" and "IMPUNIT"
> are incorrect passwords. Why introduce those passwords ?

You shouldn't be testing only the first hash - you should be testing all
hashes (with a given salt) at once, just like JtR does when cracking
passwords.  In pseudo-code (with some omissions), it's like this:

	set_salt(...);
	while (i < max) {
		set_key(next correct password, i++);
		if (i < max)
			set_key(wrong password, i++);
		if (j > test vector count)
			j = 0; /* Repeat the pattern */
	}
	crypt_all(); /* Don't forget to use its return value */
	check cmp_all() against each hash with the given salt
	check cmp_one() against each combination of index, hash
	check cmp_exact() and get_hash[]() similarly

However, you have a good point: for salted hashes, there might not be
more than one test vector with a given salt (although often we do have
several per salt).  In that case yes, you're more limited in what
correct passwords you can include, and the pattern (to be repeated)
becomes rather short.

> I am a little confused. For example:
> 
> We are testing the first hash '$LM$a9c604d244c4e99d' whose
> correct password is "AAAAAA".
> 
> 1. All correct
> 
> key[0] = "AAAAAA"
> key[1] = "AAAAAA"
> key[2] = "AAAAAA"
> key[3] = "AAAAAA"
> ...
> 
> 2. All incorrect
> 
> key[0] = "wrong password"
> key[1] = "wrong password"
> key[2] = "wrong password"
> key[3] = "wrong password"
> ...
> 
> 3. Even index is correct
> 
> key[0] = "AAAAAA"
> key[1] = "wrong password"
> key[2] = "AAAAAA"
> key[3] = "wrong password"
> ...
> 
> 4. Odd index is correct
> 
> key[0] = "wrong password"
> key[1] = "AAAAAA"
> key[2] = "wrong password"
> key[3] = "AAAAAA"
> ...
> 
> 5. The ith password is correct if hash(i) is even, otherwise incorrect
> 
> key[0] = "AAAAAA"
> key[1] = "AAAAAA"
> key[2] = "wrong password"
> key[3] = "AAAAAA"
> ...
> 
> 6. The ith password is correct if hash(i) is odd, otherwise incorrect
> 
> key[0] = "wrong password"
> key[1] = "wrong password"
> key[2] = "AAAAAA"
> key[3] = "wrong password"
> ...
> 
> Is this what you mean ?

No.  You should in fact use all test vectors' correct passwords that we
have at a time, as long as they fit under max_keys_per_crypt.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.