Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Dec 2012 19:17:43 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Formats dmg, encfs and strip crash on longer passwords

On 12/28/2012 06:21 PM, Dhiru Kholia wrote:
> The problem is in the pbkdf2 code I borrowed from Lukas ;)
> 
> The following patch (which is sure to be wrong!) avoids the crash.
> 
> diff --git a/src/encfs-pbkdf2.h b/src/encfs-pbkdf2.h
> index 0cb0f4a..9a5ae17 100644
> --- a/src/encfs-pbkdf2.h
> +++ b/src/encfs-pbkdf2.h
> @@ -282,7 +282,7 @@ void preproc(const uint8_t * key, uint32_t keylen,
>  {
>         int i;
>         uint32_t W[16], temp;
> -       uint8_t ipad[20];
> +       uint8_t ipad[32];
>         uint32_t A = INIT_A;
>         uint32_t B = INIT_B;
>         uint32_t C = INIT_C;

Yes, this doesn't look like a correct fix, given the
context. It just avoids the crash.
Can you get real hashes for passwords with a length > 20?
Without a valid test case, it is hard to tell what needs to be done if
longer passwords occur.

BTW: This only "fixes" encfs, since dmg and strip include keychain.h
instead.

> The same problem exists in formats using same or similar pbkdf2 code.

keychain.h and encfs-pbkdf2.h are quite similar.
I think we should aim to move all reusable code out of these 2 files
into a separate file.

> What should be the max password length (which actually works) for
> formats using your pbkdf2 code?. Can it be increased?

The more interesting question is: what is the maximum password length
supported by the software which creates/uses these hashes?

Then we can decide how to adjust these formats:
-Mac OS X Keychain PBKDF2-HMAC-SHA-1 3DES
-Apple DMG PBKDF2-HMAC-SHA-1 3DES / AES
-STRIP Password Manager PBKDF2-SHA1
-EncFS PBKDF2 AES / Blowfish
-1Password Agile Keychain PBKDF2-HMAC-SHA-1 AES
-Kerberos 5 AS-REQ Pre-Auth etype 17/18 aes-cts-hmac-sha1-96

For some reason, I didn't find a problem with max. password length for
krb5pa-sha1, even though it claims to support passwords with a length of
up to 125 bytes.

Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.