Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 Feb 2013 18:47:17 +0100
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: SSHA-512 supported?

Holy cow... this will end up in a CVE. The "secure password hash mechanisms" are merely security by obscurity, and soon enough they're not even that.

Thanks!

magnum


On 15 Feb, 2013, at 16:58 , Jon Schipp <jonschipp@...il.com> wrote:

> I did a head on each, if you need the full output of each example let
> me know. The first one is longer indeed, it looks right to me at first
> glance. The output of time, shown below, is for the full output not
> "time ./AIXtest | head"
> Replies below
> 
> On Thu, Feb 14, 2013 at 6:58 PM, magnum <john.magnum@...hmail.com> wrote:
>> On 14 Feb, 2013, at 14:45 , Jon Schipp <jonschipp@...il.com> wrote:
>> 
>>> I have gcc on the box.
>>> 
>> 
>> Here is a C version of what Solar did in perl. Please compile it and run it (with time) with no argument first (will use a hardcoded salt of '{ssha512}04$................$'). If it outputs longer strings than perl did, we scored. If so, you can run the rest and post all results:
>> 
>> time ./AIXtest
> {ssha512}04$................$qOMgc2gLmZZ4KsIJFef07Wm54lFSvfhV5FEfeMmCarf84AEZDLUwD54oevTg3xFifT9/C/CC77.Pp8oVuTbL..
> 23 {ssha512}04$................$.Vfpvvpe15P36wrPFpx94XSfO/DB97yPUFMOBYP5BS/Rh1XX4oMOZ6l.i47CP3e7WOl7m.2wesl7soJN2XJ...
> 39 {ssha512}04$................$RGlu2fgkOSPXNLaDg99BYqq6zhTLvM1afeCJl44FJbOnempp/esA4NNTtg9bSrLMsSEU0z1jNycvm539kY8...
> 62 {ssha512}04$................$EnHJfjut9gLGWosb6xFUGkNqZJUvG/TGXEpCdUJnU9KUUIWYrEl/C3oI1AEXehOx1xCiWS4CHJokIB5zjYY...
> 153 {ssha512}04$................$cIUQM5HJS98c1b2t2nnIKpOVYJXAwbiCmsSlfo2aCnLJSgNvldN4rDPZXsbRp.wGw0HZ1b.C5pX4iVXrfUe...
> 160 {ssha512}04$................$Gscxa9fCG40VoPx.6z4sFjXczwTykopcS653Hal9hGJFaYnag4xInngCf1RjwK9K5err6PkfGD47N3xkz3p...
> 274 {ssha512}04$................$A7J5fmuSJ2Urc3Gq6.Fxr5yDszcRsZB/HeT3AdQbeV.n7XeA/w2Ra2xqQAzsoUI9GCcKCQwhBO6Jh/4A54K...
> 303 {ssha512}04$................$Fz2RcZdefsUUTfgniG2VtR5P34MgCDgeePc99wRlQKBEfA6fc5iBbVVfe.lr.XOp/ubpw2NFJzUvDECdDLf...
> 
> real    0m10.269s
> user    0m8.886s
> sys     0m0.002s
> 
>> time ./AIXtest '{ssha512}06$................$'
> 
> {ssha512}06$................$rzwMC3KYjlxIkvr6SM7wqPrnyJZlfEM7mHecCrSHnFTnaRt.QeQIYtL3aJ5dTeTfcLLju9CjZVEls8SWC0Is..
> 0 {ssha512}06$................$Z5N0qr6a8ploTM7Zjqd/xi/Om68kQWwrHDpGIh5WS7yHconxY10RKX7GCS0DEAKqm6LhwzJco/HuOtaSh9C...
> 2 {ssha512}06$................$XX8PXJVvDMKtKaSoBEWxrsWBB9/Kq5Imlf7q4O2LXvbES2GWekGCxK3NMvDc76P0nL7IO8Yxw.TjoTTJxNH...
> 15 {ssha512}06$................$31llCKo2kJMj/feNGW6BeboIHGi80P/MINPPJv3ruSpA1Ahz1hUzDv8h0xZw4d2WwbJBvzjoBGZ5BQt4vqc...
> 44 {ssha512}06$................$0egLaF88SUk6GAFIMN/vTwa/IYB.KlubYmjiaWvmQ975vHvgC3rf0I6ZYzgyUiQftS8qs7ULLQpRLrA3LA....
> 50 {ssha512}06$................$DtoKrXLunZuWAB5YTst8fmRSPbvJpw2QIYvwHgHWic8ca51iNz2WoV0zoOp.LNmNGODpBJp17um1EFfXDW7...
> 57 {ssha512}06$................$vk3Ti47cfasVasf2rgMp/LsTE37HC51oq4BdjkhBArV08gpoe./s8VuhQd1hp4Er29OiNGb6Hh3JTGdZnqC...
> 75 {ssha512}06$................$71vDkRp8S0GNO96tgcvKDz7y8YYEenW8/mltpQsHuiueaHxSEMl1LMzQZTGQt7w.NLWoyb0WKZZfLuVtFIK...
> 
> real    0m40.151s
> user    0m34.821s
> sys     0m0.002s
> 
>> time ./AIXtest '{ssha256}04$................$'
> 
> {ssha256}04$................$xpb2nkg55xiQgVFCsXifHmc1VHUmOOHd2Gdo1vfF.ck
> 346 {ssha256}04$................$z55iqrvCilspEf.tEhtey3fWP2dKQ8L5o54wWMUh...
> 1434 {ssha256}04$................$vlKYFh0apsR6XELOq8mdi9XCDemM0nu8hGo0j3Jz...
> 1482 {ssha256}04$................$rN9fNFGqUFMv6xo9sTgUw0Annxy9XUwAO.vv83R...Z
> 1616 {ssha256}04$................$vKnakeeuMBxKzih9JQu2xgRCzTq0xig4VoSBUO6...K
> 1719 {ssha256}04$................$fMvOegAdjPtbcekvGQ518TN1cQ1JGlyRt7e5JL...E7
> 1877 {ssha256}04$................$6Ybv9G7OT3jqw9.tezMWFXHudlIpjpnRBllsXRW...W
> 2278 {ssha256}04$................$Ei/OwycJeFJbtSKf4VmaIBWUPi6d/K5GMHWjkuBn...
> 
> real    0m3.145s
> user    0m2.688s
> sys     0m0.001s
> 
>> time ./AIXtest '{ssha256}06$................$'
> 
> {ssha256}06$................$2N0lSYTXQ.ZQGL5sobToE8qguffrFFPoHPyrluB7.UO
> 216 {ssha256}06$................$cfv6iSZDcfrzV2RSFOgi35rTsxOa5W7DMwsGMxc...k
> 388 {ssha256}06$................$oFZbX6vUkptvjol7w28QBckHezycBjvwm7b.RRA...J
> 718 {ssha256}06$................$bkzCmuDgsND.DWjvtGFLpNftocizl3WAlWk3y/Rt...
> 1258 {ssha256}06$................$jow8PNe4r0yc9qIONXq5T90fgpBdGXXQdkr0N7T...F
> 2255 {ssha256}06$................$A9IP9nPRWAga9LgLYKHpXTlbV90CQ5UvgN5v1zq...m
> 2379 {ssha256}06$................$.zcKazyNvMEf4k1mWrsnu3lpMB9P6TqCOAYHvmKH...
> 2564 {ssha256}06$................$FZobzSI3oIEVik5o/OQKcl.CxrFZBkLHFizS63V...6
> 
> real    0m11.788s
> user    0m10.145s
> sys     0m0.001s
> 
>> time ./AIXtest '{ssha1}04$................$'
> 
> 99045 {ssha1}04$................$S1HJv/j7MeM2tYOf891FyMED...
> 99149 {ssha1}04$................$mGLvbJPLgfleiwiFOAM2qsMK...
> 99512 {ssha1}04$................$4Zw6uQXX20AEPRhjOtknvA...AH
> 99694 {ssha1}04$................$j1HBjCJfd.i1vSOhOwqOdv6...K
> 99743 {ssha1}04$................$Zdf6fZLQCVLvfVNlqW69k3iX...
> 
> real    0m2.485s
> user    0m2.116s
> sys     0m0.001s
> 
>> time ./AIXtest '{ssha1}06$................$'
> 
> {ssha1}06$................$9KLRvaXdbrbUilJEMqHdq/4U.oc
> 188 {ssha1}06$................$mhE/TP0leX4nNgIX1rkgAvBS...
> 432 {ssha1}06$................$a94N5VoWkWeex1tSQyX0Oyxf...
> 1921 {ssha1}06$................$62.pZQsm5f1kHVjWbXzTFj2...K
> 2367 {ssha1}06$................$kuvwCpqMu2EbtDi5Euv1XDC...E
> 2883 {ssha1}06$................$7Yf7WMoIqC0EZmFNyy99xzgI...
> 2940 {ssha1}06$................$JhUoxls/GMa.E/1.pzpw01C...S
> 3172 {ssha1}06$................$Y7/Su1e6vYUm6y3EpStD15ae...
> 
> real    0m9.263s
> user    0m7.930s
> sys     0m0.001s
> 
>> time ./AIXtest '{smd5}........$'
> 
> {smd5}........$4o0BaQI/btZhowgUF4s8n0
> 9891 {smd5}........$NRJZUCTpM58CrbraC8....
> 13531 {smd5}........$8QndCM8ON...FcF0VE5Xp.
> 18342 {smd5}........$U4zHOI7MRha...zivI7lC.
> 20030 {smd5}........$Y5.6BJviwxX77lP9Zgf...
> 23077 {smd5}........$b...r9rBUIC85Wjozd/Jk/
> 50772 {smd5}........$/ahf800./ZwC/48...xjY0
> 66649 {smd5}........$sJn...8.dg.NbAGEepJPR/
> 
> real    0m58.555s
> user    0m49.184s
> sys     0m0.002s
> 
>> time ./AIXtest '$1$........$'
> 
> $1s0Hjn7kstEE
> 
> real    0m15.627s
> user    0m12.661s
> sys     0m0.001s
> 
>> time ./AIXtest '$6$................$'
> 
> $6yW4NzrSbN6w
> 
> real    0m15.642s
> user    0m12.669s
> sys     0m0.001s
> 
> Thanks!!!
> Jon
> 


Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.