Full Disclosure mailing list archives
Re: Take the trash-talker challenge!
From: full-disclosure () lists netsys com (Daniel Hartmeier)
Date: Tue, 27 Aug 2002 17:39:03 +0200
On Tue, Aug 27, 2002 at 04:35:25AM -0700, aliver () xexil com wrote:
If my detractors would like to prove what a silly ass I am then they should feel free to reverse the encrypted message into plaintext.
Your key setup is broken:
memset(hash,0,16);
/* lets hash the keys. We get a 256 bit hash */
/* from md5, but xxtea takes a 128 bit key so */
/* the hash is truncated to the first 128 bits */
md5_init(&state);
md5_append(&state, (const md5_byte_t *) keyphrase, strlen(keyphrase));
md5_finish(&state, digest);
So far, so good. But
for (i = 0; i < 8; i++) {
snprintf(hbuf,3,"%02x",digest[i]);
memcpy(hash+(i*2),hbuf,2);
}
Now hash consists of 16 characters 0-9, a-f. That's 16^16 or 2^64
possible hashes. And hash is used as the key. So, effectively, you're
using 64 bit keys.
It's too large a key space to brute-force in 10 minutes for me, but it
should be obvious that it's a severe flaw nonetheless.
Daniel
Current thread:
- Take the trash-talker challenge! full-disclosure () lists netsys com (Aug 27)
- Take the trash-talker challenge! Nexus (Aug 27)
- Re: Take the trash-talker challenge! Daniel Hartmeier (Aug 27)
- Re: Take the trash-talker challenge! Roland Postle (Aug 27)
- Take the trash-talker challenge! Nicolas Couture (Aug 27)
- Take the trash-talker challenge! John Scimone (Aug 27)
- <Possible follow-ups>
- Re: Take the trash-talker challenge! zen-parse (Aug 27)
- Re: Take the trash-talker challenge! Paul Tinsley (Aug 27)
- Re: Take the trash-talker challenge! Steven M. Christey (Aug 27)
- Re: Take the trash-talker challenge! full-disclosure () lists netsys com (Aug 27)