<< Previous Message Main Index Next Message >>
<< Previous Message in Thread This Month Next Message in Thread >>
Date   : Thu, 24 Nov 2011 21:38:20 +0000
From   : philb@... (Phil Blundell)
Subject: Request for Help - Security Research Project

On Tue, 2011-11-15 at 21:31 +0000, J.G.Harston wrote:
> Grabbing both the encrption key and the encrpyted password could
> possibly let you convert the encrypted password into plain text,
> but the encryption is lossy so would result in many different
> possible plain texts.

Right, exactly.  But the point is that all the "possible plain texts"
are equally valid.  It doesn't matter which one the user actually typed,
any of them will do for the purposes of re-encrypting under a new key.

> See http://mdfs.net/Docs/Books/SJMDFS/10-076 and
> http://mdfs.net/Apps/Networking/NetUtils/EncLogon

Yeah.  So, from that code, the important bit is:

LDA txt,Y                      :\ Get character from text buffer
LDX #0
.Lp3
ROR A:PHA:ROR A:EOR blk+6      :\ Encrypt this character into
ROL A:ROL A:ROL A:ROL A        :\  encryption key
EOR blk+6:ROR A:ROR A:ROR A
ROL blk+4:ROL blk+5:ROL blk+6
PLA:INX:CPX #5:BCC Lp3
ROR A:CPX #5:BEQ Lp3

This is basically just a combination of bit-shuffling and XOR, both of
which are reversible operations.  There are 24 bits of output, and each
one of them can be expressed as a binary XOR expression consisting of
bits from the input key and the password.  So, as a made-up example (I
haven't actually tried to figure out the right assignments) it might
turn out that output bit 0 can be written as:

P[57] XOR P[43] XOR K[18] XOR K[16] XOR K[1] XOR ...

where P[n] are the 80 bits of password input and K[n] are the 24 bits of
key input.  The actual sequence of XORs for each output bit will be
quite long (it loops 6 times for each of the 10 input characters, and
does 2 XORs per step) but not absolutely unmanageable.

This set of binary equations, whatever it turns out to be, is determined
entirely by the algorithm and is independent of the input data.  So you
only have to figure the equations out once and you can take your time
over it.

Now, if you've captured the input key data that the server supplied for
a particular logon, you know all the K[n] terms.  If you've also
captured the corresponding encrypted result then you know what the whole
string of XORs for each output bit evaluates to.  So, you can substitute
those known values into both sides of the equations, all the constants
drop out, and you will end up with 24 simple expressions of the form:

P[57] XOR P[4] XOR ... = 1
P[32] XOR P[9] XOR ... = 0

These 24 bits now depend only on the password, and in fact they capture
everything you need from the password in order to do a successful logon.

p.
<< Previous Message Main Index Next Message >>
<< Previous Message in Thread This Month Next Message in Thread >>