|
Message-ID: <f31e3c850301d739c64ee52e091cf5af@smtp.hushmail.com> Date: Tue, 18 Dec 2012 07:23:20 +0100 From: magnum <john.magnum@...hmail.com> To: john-users@...ts.openwall.com Subject: Re: gpg2john -> false positive -> how to exclude? On 18 Dec, 2012, at 3:40 , Dhiru Kholia <dhiru.kholia@...il.com> wrote: > On Tuesday 18 December 2012 05:41 AM, magnum wrote: >> I tried adding FMT_NOT_EXACT and ran it for a couple hours with a toy GPU. It found 10 "valid" guesses in 2h, 18 minutes (roughly 200 million candidates tried): bortaloo dyss ksm38b mrh1644 bh994co g5xck 24279720 w0wory lt5ntyb 25318696 This "hash" type use the simplest checksumming that will give one false positive out of 64K tries. I notice the 'datalen' is short compared to the test vectors - apparently short enough to emit a false positive from the BN_bin2bn() function once out of about 300 tries. When both these false positives occur for one same candidate, it will result in a false guess (about once in 20 million tries). > > So is there no way to avoid these false positives? How does gpg (still) figure out that the password is wrong? Sure there is, I just described the current situation. I don't know what do add though. Maybe have a look at GPG sources? magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.