Date: Sun, 18 Oct 2015 18:37:28 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Azure AD password sync, and needing PBKDF2 in dynamic modes Hi, Just off Twitter: <MGrafnetter> I have done a thorough security analysis of the #Azure AD password sync feature:https://www.dsinternals.com/en/how-azure-active-directory-connect-syncs-passwords/ #DSInternals https://pbs.twimg.com/media/CRmt2laWwAAsv7v.png It looks like we need: OrgId Hash(plaintext) := PBKDF2( UTF-16( ToUpper( ToHex( MD4( UTF-16(plaintext))))), RND(10), 100, HMAC-SHA256, 32) JimF's dynamic mode compiler lets us do: $ ./john -test -form=dynamic='MD4(utf16($p))' Benchmarking: dynamic=MD4(utf16($p)) [128/128 AVX 4x3]... DONE Raw: 7227K c/s real, 7227K c/s virtual which I think corresponds to the "ToUpper(ToHex(MD4(UTF-16(plaintext))))" portion. We could also add an outer utf16() if we had somewhere to plug it into, like: $ ./john -test -form=dynamic='sha256(utf16(MD4(utf16($p))))' Benchmarking: dynamic=sha256(utf16(MD4(utf16($p)))) [128/128 AVX 4x]... FAILED (cmp_all(1)) Oops, no idea why it fails self-test, but anyway it looks like we need to have HMAC and PBKDF2 added to the dynamic compiler. I expect this would be useful on more occasions. Jim? Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.