Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50CFD7B8.5060605@gmail.com>
Date: Tue, 18 Dec 2012 08:10:56 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: gpg2john -> false positive -> how to exclude?

On Tuesday 18 December 2012 05:41 AM, magnum wrote:
> I tried adding FMT_NOT_EXACT and ran it for a couple hours with a toy 
> GPU. It found 10 "valid" guesses in 2h, 18 minutes (roughly 200 
> million candidates tried): bortaloo dyss ksm38b mrh1644 bh994co g5xck 
> 24279720 w0wory lt5ntyb 25318696 This "hash" type use the simplest 
> checksumming that will give one false positive out of 64K tries. I 
> notice the 'datalen' is short compared to the test vectors - 
> apparently short enough to emit a false positive from the BN_bin2bn() 
> function once out of about 300 tries. When both these false positives 
> occur for one same candidate, it will result in a false guess (about 
> once in 20 million tries).

So is there no way to avoid these false positives? How does gpg (still) 
figure out that the password is wrong?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.