Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <00df01ce064c$9a7e6960$cf7b3c20$@net>
Date: Fri, 8 Feb 2013 16:35:31 -0600
From: "jfoug" <jfoug@....net>
To: <john-users@...ts.openwall.com>
Subject: RE: Cracking SHA1 with some knowledge of password

From: Lex Par [mailto:ziptied@...il.com] 
>This might be a silly question, but why is there a 55 byte max?


Not a silly question at all.  

the short answer:
the 19 byte limit (in the format I provided), is due to requirements from
the optimizations that are being used.


The full answer:
SHA1 (and MD4/MD5, etc), all work on 64 byte blocks. However, there are 9
'extra' bytes needed.  The bit (full byte) right after the data being
encrypted is set to a 1 (so that byte gets set to a 0x80). Then the last 8
bytes of the last block (there can be more than 1 block), is set to hold the
number of bits being encrypted, as an 8 byte integer value.  Thus to make
things fit into 1 SHA block, you can have 55 bytes of password, followed a
single byte 0x80. Then there are still 8 bytes left, which is just enough to
place the length of the bit stream.   Anything over 55 bytes, will not fit
into a single SHA1 buffer.  Encrypting 56 bytes with SHA1, requires 128
bytes of buffer (2 64 byte buffers) to be encrypted.

Within our SSE code in the dynamic format we can only encrypt a single
block.  More 'can' be encrypted, but causes more code, and another full SHA1
on that block. This extra code, slows down most 'common' searches for
passwords.  It is very uncommon, for passwords to go past this 55 byte
threshold, thus we have made an assumption that only a single block will be
allowed, which removes this extra code overhead.  If you really need to do
passwords longer than this, then it is best to leave this format as is (with
19 char password max), and then make another format, that uses the dynamic
flag:  MGF_NOTSSE2Safe   This will force that format to NOT use SSE, but
revert to using slower OpenSSL library to do the SHA1.  That will allow up
to 96 (or 125??) bytes to be in the password.  So, if there are 36 bytes
used, you can for sure handle up to 60 byte passwords.  However, It would be
best to ONLY use that format to check passwords between 20 and 60 bytes,
using the faster version to process passwords from 0 to 19 bytes long.  In
real world situations, 19 byte passwords make up almost ALL of them.  there
are a few that go longer than that (often these longer passwords ARE the
high value accounts).

Jim.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.