LISTSERV - HP3000-L Archives

HP3000-L Archives

October 1998, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L October 1998, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Forgotten password.
From:	toback2 <[log in to unmask]>
Reply To:	toback2 <[log in to unmask]>
Date:	Thu, 22 Oct 1998 11:16:14 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

Greg Stigers writes:

>The PKZip manual has a handy little table to explain password "hacking" time
>for a brute force attack on their encryption key method of protecting a ZIP
>file, at the rate of 10,000 keys attempted per second. This does not take
>into account the expected value, dividing by two per Gavin and Wirt, and
>would be pretty tricky to pull of on a console. Of course, for MPE, case
>does not matter, so starting with the 26*36^chars-1 calculation, what I came
>up with is in the last column, provided for comparison's sake to the others
>at the difficult rate of 10,000 attempts per second.

Password hacking can be made considerably easier if you can get more
information about the length of the correct password by indirect means.
This is hard to do from a terminal, but relatively easy to do from a
program trying to find a file lockword or other password.

The classic attack is to select your memory layout carefully, so that the
password to be passed to the OS is located near an access boundary:

          -------+------
                A|
          -------+------
                 |
                 ^End of memory page

Now, call the open/changelogon/whatever routine specifying the address of
the "A" as the password. If the first letter of the real password isn't
"A", the system will return a password violation. If the first letter is
"A" and the system goes on to look at the second letter, you'll get a
bounds violation. Thus, you can determine the first letter of the
password in at most 26 trials, or 13 on average. The second letter can be
found the same way, by moving the password back one letter. So instead of
a maximum of 26*36^7 trials, you can find the password with at most
26+36*7, or 278 trials.

Most operating systems today are smart enough to copy the password
elsewhere before comparing it (this was fixed in MPE around 1980, as I
recall). This prevents the program from getting any information about the
length of the password this way, and also thwarts several other attacks.

But there may be other ways to decompose the password, all based on the
fact that fewer machine cycles will be needed to reject a password that's
correct to fewer places. Interrupts and cache state changes will disrupt
the timing to some extent, but there may still be enough timing
information available over multiple trials to detect the difference --
particularly on architectures with system-clock driven counters, like
HP-PA.

-- Bruce

--------------------------------------------------------------------------
Bruce Toback    Tel: (602) 996-8601| My candle burns at both ends;
OPT, Inc.            (800) 858-4507| It will not last the night;
11801 N. Tatum Blvd. Ste. 142      | But ah, my foes, and oh, my friends -
Phoenix AZ 85028                   | It gives a lovely light.
btoback AT optc.com                |     -- Edna St. Vincent Millay
Mail sent to [log in to unmask] will be inspected for a
fee of US$250. Mailing to said address constitutes agreement to
pay, including collection costs.

ATOM RSS1 RSS2

RAVEN.UTC.EDU