[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150822183125.GA10715@openwall.com>
Date: Sat, 22 Aug 2015 21:31:26 +0300
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: testing every index (Re: more robustness)
On Sat, Aug 22, 2015 at 09:22:20PM +0300, Solar Designer wrote:
> On Sun, Aug 23, 2015 at 12:00:19AM +0800, Kai Zhao wrote:
> > Both "" and "XXXXXXXX" are the correct passwords ?
>
> I didn't expect this, but it seems so.
This is actually obvious from the code:
memcpy(xor, cell, 8);
for (pos = 0; pos < 8 && buffer[index].key[pos]; pos++)
xor[pos] ^= buffer[index].key[pos];
for (pos = 0; pos < 8; pos++)
if (!xor[pos]) xor[pos] = 'X';
DES_std_set_key(xor);
In our case the cell name is empty, so "xor" holds the password as-is.
When the password is shorter than 8, any number of 'X' or '\xd8' can be
appended to it without changing the resulting 56-bit DES key, because
the code would pad the password with 'X' anyway.
Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
