lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110407170237.GC12726@sentinelchicken.org>
Date: Thu, 7 Apr 2011 10:02:37 -0700
From: Tim <tim-security@...tinelchicken.org>
To: Maksim.Filenko@...b.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cipher detection

> I'm trying to figure out what kind of cipher was used in this:
> 
> GGobQ2bsqd64PXVAmaDiDBg=
> 
> Looks like Base64, but it's not. The original string is:
> 
> dummy@...mple.com
> 
> Thanks all!


As Thor mentioned, since the ciphertext is not a multiple of a common
block cipher's block size (8 or 16 bytes), then an XOR might be in
use.  This points to either a block cipher in CFB, OFB, or similar
modes, or a stream cipher (RC4?), or some hack someone put together
that involves XORing some secret with the email address.

Your next step should be to have several different plaintexts
encrypted, then XOR away the plaintext from the ciphertext to get your
keystream for each.  If you see duplication across key streams, then
you might be looking at a bad hack or use of a cipher which reuses the
same IV for each email address, which is also a big no-no.

HTH,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ