Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 22 Aug 2015 21:31:26 +0300
From: Solar Designer <>
Subject: Re: testing every index (Re: more robustness)

On Sat, Aug 22, 2015 at 09:22:20PM +0300, Solar Designer wrote:
> On Sun, Aug 23, 2015 at 12:00:19AM +0800, Kai Zhao wrote:
> > Both "" and "XXXXXXXX" are the correct passwords ?
> I didn't expect this, but it seems so.

This is actually obvious from the code:

		memcpy(xor, cell, 8);
		for (pos = 0; pos < 8 && buffer[index].key[pos]; pos++)
			xor[pos] ^= buffer[index].key[pos];

		for (pos = 0; pos < 8; pos++)
			if (!xor[pos]) xor[pos] = 'X';


In our case the cell name is empty, so "xor" holds the password as-is.
When the password is shorter than 8, any number of 'X' or '\xd8' can be
appended to it without changing the resulting 56-bit DES key, because
the code would pad the password with 'X' anyway.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.