lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.BSO.2.00.1002011244240.265@fuyu.mindrot.org>
Date: Mon, 1 Feb 2010 12:55:34 +1100 (EST)
From: Damien Miller <djm@...drot.org>
To: bugtraq@...urityfocus.com
Subject: Advisory: jBCrypt < 0.3 character encoding vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

jBCrypt security advisory
=========================

jBCrypt is a Java implementation of OpenBSD's Blowfish password hashing
algorithm, as described in "A Future-Adaptable Password Scheme" by Niels
Provos and David Mazieres (USENIX, 1999).

Versions of jBCrypt before 0.3 suffered from a bug related to character
encoding that substantially reduced the entropy of hashed passwords
containing non US-ASCII characters. An incorrect encoding step
transparently replaced such characters by '?' prior to hashing. In the
worst case of a password consisting solely of non-US-ASCII characters,
this would cause its hash to be equivalent to all other such passwords
of the same length.

jBCrypt-0.3, available from http://www.mindrot.org/projects/jBCrypt/
fixes this bug. Please note that passwords containing international
characters that were hashed using a previous version of jBCrypt will
not verify using jBCrypt-0.3. This may necessitate re-hashing of such
passwords.

This bug was responsibly disclosed by Aliaksandr Radzivanovich.


Damien Miller <djm@...drot.org>
February 1, 2010


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)

iD8DBQFLZjRjzo7LA4b/nEgRAlz9AJ9gBiRpX5UulfKIkaKthmG00dOxKgCdFYt6
pFhxXEcnqmWIeuo1ykT4nl4=
=WKbk
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ