Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 22 Aug 2015 05:16:06 +0300
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: testing every index (Re: more robustness)

On Fri, Aug 21, 2015 at 04:37:41PM +0800, Kai Zhao wrote:
> On Mon, Aug 17, 2015 at 9:52 PM, Solar Designer <solar@...nwall.com> wrote:
> > [0] = "AAAAAA"
> > [1] = "wrong password"
> > [2] = "AAAAAAA"
> > [3] = "wrong password"
> > [4] = "CRACKPO"
> > [5] = "wrong password"
> > [6] = "IMPUNIT"
> > [7] = "wrong password"
> > ...
> 
> If we are testing the first hash '$LM$a9c604d244c4e99d', only
> "AAAAAA" is correct, "AAAAAAA", "CRACKPO" and "IMPUNIT"
> are incorrect passwords. Why introduce those passwords ?

You shouldn't be testing only the first hash - you should be testing all
hashes (with a given salt) at once, just like JtR does when cracking
passwords.  In pseudo-code (with some omissions), it's like this:

	set_salt(...);
	while (i < max) {
		set_key(next correct password, i++);
		if (i < max)
			set_key(wrong password, i++);
		if (j > test vector count)
			j = 0; /* Repeat the pattern */
	}
	crypt_all(); /* Don't forget to use its return value */
	check cmp_all() against each hash with the given salt
	check cmp_one() against each combination of index, hash
	check cmp_exact() and get_hash[]() similarly

However, you have a good point: for salted hashes, there might not be
more than one test vector with a given salt (although often we do have
several per salt).  In that case yes, you're more limited in what
correct passwords you can include, and the pattern (to be repeated)
becomes rather short.

> I am a little confused. For example:
> 
> We are testing the first hash '$LM$a9c604d244c4e99d' whose
> correct password is "AAAAAA".
> 
> 1. All correct
> 
> key[0] = "AAAAAA"
> key[1] = "AAAAAA"
> key[2] = "AAAAAA"
> key[3] = "AAAAAA"
> ...
> 
> 2. All incorrect
> 
> key[0] = "wrong password"
> key[1] = "wrong password"
> key[2] = "wrong password"
> key[3] = "wrong password"
> ...
> 
> 3. Even index is correct
> 
> key[0] = "AAAAAA"
> key[1] = "wrong password"
> key[2] = "AAAAAA"
> key[3] = "wrong password"
> ...
> 
> 4. Odd index is correct
> 
> key[0] = "wrong password"
> key[1] = "AAAAAA"
> key[2] = "wrong password"
> key[3] = "AAAAAA"
> ...
> 
> 5. The ith password is correct if hash(i) is even, otherwise incorrect
> 
> key[0] = "AAAAAA"
> key[1] = "AAAAAA"
> key[2] = "wrong password"
> key[3] = "AAAAAA"
> ...
> 
> 6. The ith password is correct if hash(i) is odd, otherwise incorrect
> 
> key[0] = "wrong password"
> key[1] = "wrong password"
> key[2] = "AAAAAA"
> key[3] = "wrong password"
> ...
> 
> Is this what you mean ?

No.  You should in fact use all test vectors' correct passwords that we
have at a time, as long as they fit under max_keys_per_crypt.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.