Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 21 Nov 2005 20:21:53 +0100
From: Michal Luczaj <>
Subject: Lotus Notes/Domino "more secure" password

Hello all,

I was asked by Solar Designer to forward this mail here, so here it

As far as I know, Domino is able to use two algorithms for computing
password hash.

The first one (the older one) is just a digest of keyword. Digest
function was provided by Jeff Fay and named "Lotus v5 Proprietary".
With further optimisations done by it is
included in a jumbo patch - .

Second method was claimed by IBM to be "more secure" because of salt
that complicated brute force attacks.

As there is already JtR module for the first approach, I couldn't find
anything that would suit my needs of cracking the "secure" option,
which seems to be, well, modern standard. Ehm, installer default

So I've decided to write my own. It took me many days as binary code
wasn't well documented, but finally I've managed to understand the
way things work.

The algorithm is:
1. Make 128bit digest of key.
2. Do bin2hex() of key digest and put braces around it.
3. Concat output of previous step to 5 bytes of salt.
4. Make 128bit digest of first 34 bytes (out of 39 bytes).
5. Compare first 10 bytes (out of 16) to check if the key was correct.

I'm just a beginner and reverse engeneering hashing function was out of
my reach. Happily, Domino designers are good people and hashing
function SECCalcMessageDigest was exported from nnotes.dll/
for any code reuse. So I wrote a JtR module and now it's available at
JtR's contrib dir as john-1.6.39-domino-bis-1.diff.gz .
(Yes, I know, badly written and ugly. Please, impove or rewrite it if
you have any ideas.)

When Solar Designer wrote me that depending on Lotus' binaries (they
are free to download from IBM's web site; included in installation
packages of Lotus Domino and Lotus Notes) is always a problem I've
tried to use Jeff's code as a replacement for SECCalcMessageDigest.
But it failed to give proper hash :(
BUT! It occured that Jeff's hash function from jumbo patch is working
great and gives correct digest,
BUT! only for less than 16 bytes of data. Previously I didn't notice
that, because my test-case password was 21 chars long.

So I decided to contact Mr Fay (Nov 1st) at jeff//sdii/com and - after
first mail bounced - at Jeff//patchadvisor/com. But got no reply at
all till now (Nov 21st). I may not have working email address (all that
google gave me) or he just may be not interested in digging in his own
code. I've asked him if (assuming that 16byte limit may be optimisation
choice of that time) he possibly have any "unlimited" version.

All I can add now is that Lotus Notes/Domino crypto API is based on
RSA's BSAFE library, while SECCalcMessageDigest is equivalent of RSA's
proprietary message digest algorithm called simply and mysteriously: MD.

Wow, that was a long story :)

Thanks for reading (bashing through my English) and - in advance -
for any help.

Best regards to all,
Michal Luczaj

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.