Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 26 Jul 2012 01:16:51 +0100
From: magnum <john.magnum@...hmail.com>
To: "john-dev@...ts.openwall.com" <john-dev@...ts.openwall.com>
Subject: Re: mscash2 / hmac-md5 ambiguity

We can't solve the underlying problem. How would we? If you can think of a solution just name it. 

magnum


On 26 jul 2012, at 00:09, Alexander Cherepanov <cherepan@...me.ru> wrote:

> On 2012-07-24 03:57, magnum wrote:
>> On 2012-07-23 23:19, Alexander Cherepanov wrote:
>>> On 2012-07-23 14:46, magnum wrote:
>>>> On 2012-07-23 11:47, Alexander Cherepanov wrote:
>>>>> mscash2 hashes in their canonical form are nevertheless accepted as
>>>>> hmac-md5:
>>>>> 
>>>>> $ cat mscash2.john
>>>>> chatelain:$DCC2$10240#chatelain#e4e15fdfafc8e715da9edec3611bfbff
>>>>> $ john mscash2.john
>>>>> Warning: detected hash type "mscash2", but the string is also recognized
>>>>> as "hmac-md5"
>>>>> Use the "--format=hmac-md5" option to force loading these as that type
>>>>> instead
>>>>> Loaded 1 password hash (M$ Cache Hash 2 (DCC2) PBKDF2-HMAC-SHA-1
>>>>> [128/128 SSE2 intrinsics 8x])
>>>>> guesses: 0  time: 0:00:00:02 0.00% (2)  c/s: 339  trying: 123456 -
>>>>> abc123
>>>>> Session aborted
>>>>> $ john --format=hmac-md5 mscash2.john
>>>>> Loaded 1 password hash (HMAC MD5 [128/128 SSE2 intrinsics 12x])
>>>>> guesses: 0  time: 0:00:00:02 0.00% (3)  c/s: 1120K  trying: 123man -
>>>>> 123mah
>>>>> Session aborted
>>>>> 
>>>>> IMHO that's not very good.
>>>> 
>>>> It was much worse until we forced hmac-md5 to lower precedence than
>>>> mscash. Now it is just cosmetic. That hash *is* a valid hmac-md5 hash,
>>>> with a salt of "$DCC2$10240#chatelain".
>>> 
>>> Were these forms chosen for compatibility with other tools? I mean it's
>>> a pity to have a special, canonical form for a hash which clashes with
>>> other formats.
>> 
>> It does not really clash, it just warns. It picks mscash2, emits the
>> notice and all is fine. Is it that bad? I loved when core got this feature.
> 
> Problem is not in the warning itself. The warning is helpful. The problem is what it warns about.
> 
> Suppose that Korelogic will include hmac-md5 in the upcoming contest. Then you cannot load these hashes without --format.
> 
> Second problem: you cannot put both types of hashes in one file. Wouldn't it be better to have only one file with all hashes? I mean, to have one file instead of 20 is very convenient. Then you can select desirable part of it with --format. But this is impossible when there are collisions in canonical forms of given types of hashes.
> 
>>>> We can stop this by
>>>> black-listing certain format salts. That's OK with me but in some way
>>>> it's a flawed path.
>>> 
>>> Agreed.
>> 
>> Just thinking out loud here: Let's say we could teach the hmac-MD5
>> format that "it" should not emit that warning if the salt starts with
>> $DCC2$10240# - as opposed to always reject it in valid(). In the
>> (unlikely) case this was really a hmac salt, we could still use the hmac
>> format using --format. If we don't, it will pick mscash2 and not
>> complain. The only problem with this approach is it's not supported by
>> the current core and I'm not sure how we could implement that... or...
>> perhaps hmac-md5's valid() could take a peek at options.format (the
>> --format argument) and behave differently if unset... maybe this is
>> possible. I might try that some time.
> 
> You mean to just silence the warning? I don't think it should be done without solving underlying problem.
> 
> -- 
> Alexander Cherepanov
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ