Date: Sat, 22 Aug 2015 21:31:26 +0300 From: Solar Designer <solar@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: testing every index (Re: more robustness) On Sat, Aug 22, 2015 at 09:22:20PM +0300, Solar Designer wrote: > On Sun, Aug 23, 2015 at 12:00:19AM +0800, Kai Zhao wrote: > > Both "" and "XXXXXXXX" are the correct passwords ? > > I didn't expect this, but it seems so. This is actually obvious from the code: memcpy(xor, cell, 8); for (pos = 0; pos < 8 && buffer[index].key[pos]; pos++) xor[pos] ^= buffer[index].key[pos]; for (pos = 0; pos < 8; pos++) if (!xor[pos]) xor[pos] = 'X'; DES_std_set_key(xor); In our case the cell name is empty, so "xor" holds the password as-is. When the password is shorter than 8, any number of 'X' or '\xd8' can be appended to it without changing the resulting 56-bit DES key, because the code would pad the password with 'X' anyway. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.