Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jul 2012 01:16:51 +0100
From: magnum <john.magnum@...hmail.com>
To: "john-dev@...ts.openwall.com" <john-dev@...ts.openwall.com>
Subject: Re: mscash2 / hmac-md5 ambiguity

We can't solve the underlying problem. How would we? If you can think of a solution just name it. 

magnum


On 26 jul 2012, at 00:09, Alexander Cherepanov <cherepan@...me.ru> wrote:

> On 2012-07-24 03:57, magnum wrote:
>> On 2012-07-23 23:19, Alexander Cherepanov wrote:
>>> On 2012-07-23 14:46, magnum wrote:
>>>> On 2012-07-23 11:47, Alexander Cherepanov wrote:
>>>>> mscash2 hashes in their canonical form are nevertheless accepted as
>>>>> hmac-md5:
>>>>> 
>>>>> $ cat mscash2.john
>>>>> chatelain:$DCC2$10240#chatelain#e4e15fdfafc8e715da9edec3611bfbff
>>>>> $ john mscash2.john
>>>>> Warning: detected hash type "mscash2", but the string is also recognized
>>>>> as "hmac-md5"
>>>>> Use the "--format=hmac-md5" option to force loading these as that type
>>>>> instead
>>>>> Loaded 1 password hash (M$ Cache Hash 2 (DCC2) PBKDF2-HMAC-SHA-1
>>>>> [128/128 SSE2 intrinsics 8x])
>>>>> guesses: 0  time: 0:00:00:02 0.00% (2)  c/s: 339  trying: 123456 -
>>>>> abc123
>>>>> Session aborted
>>>>> $ john --format=hmac-md5 mscash2.john
>>>>> Loaded 1 password hash (HMAC MD5 [128/128 SSE2 intrinsics 12x])
>>>>> guesses: 0  time: 0:00:00:02 0.00% (3)  c/s: 1120K  trying: 123man -
>>>>> 123mah
>>>>> Session aborted
>>>>> 
>>>>> IMHO that's not very good.
>>>> 
>>>> It was much worse until we forced hmac-md5 to lower precedence than
>>>> mscash. Now it is just cosmetic. That hash *is* a valid hmac-md5 hash,
>>>> with a salt of "$DCC2$10240#chatelain".
>>> 
>>> Were these forms chosen for compatibility with other tools? I mean it's
>>> a pity to have a special, canonical form for a hash which clashes with
>>> other formats.
>> 
>> It does not really clash, it just warns. It picks mscash2, emits the
>> notice and all is fine. Is it that bad? I loved when core got this feature.
> 
> Problem is not in the warning itself. The warning is helpful. The problem is what it warns about.
> 
> Suppose that Korelogic will include hmac-md5 in the upcoming contest. Then you cannot load these hashes without --format.
> 
> Second problem: you cannot put both types of hashes in one file. Wouldn't it be better to have only one file with all hashes? I mean, to have one file instead of 20 is very convenient. Then you can select desirable part of it with --format. But this is impossible when there are collisions in canonical forms of given types of hashes.
> 
>>>> We can stop this by
>>>> black-listing certain format salts. That's OK with me but in some way
>>>> it's a flawed path.
>>> 
>>> Agreed.
>> 
>> Just thinking out loud here: Let's say we could teach the hmac-MD5
>> format that "it" should not emit that warning if the salt starts with
>> $DCC2$10240# - as opposed to always reject it in valid(). In the
>> (unlikely) case this was really a hmac salt, we could still use the hmac
>> format using --format. If we don't, it will pick mscash2 and not
>> complain. The only problem with this approach is it's not supported by
>> the current core and I'm not sure how we could implement that... or...
>> perhaps hmac-md5's valid() could take a peek at options.format (the
>> --format argument) and behave differently if unset... maybe this is
>> possible. I might try that some time.
> 
> You mean to just silence the warning? I don't think it should be done without solving underlying problem.
> 
> -- 
> Alexander Cherepanov
> 

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ