On Sat, May 11, 2024 at 4:17 PM Jacob Moody <mo...@posixcafe.org> wrote:
> On 5/11/24 14:59, Dan Cross wrote:
> > On Sat, May 11, 2024 at 3:36 PM hiro <23h...@gmail.com> wrote:
> >>> explanation of dp9ik, which while useful, only
> >>> addresses what (I believe) Richard was referring to in passing, simply
> >>> noting the small key size of DES and how the shared secret is
> >>> vulnerable to dictionary attacks.
> >>
> >> i don't remember what richard was mentioning, but the small key size
> >> wasn't the only issue, the second issue is that this can be done
> >> completely offline. why do you say "only", what do you think is
> >> missing that should have been documented in addition to that?
> >
> > Probably how a random teenager could break it in an afternoon. :-)
>
> If we agree that:
>
> 1) p9sk1 allows the shared secret to be brute-forced offline.
> 2) The average consumer machine is fast enough to make a large amount of
> attempts in a short time,
> in other words triple DES is not computationally hard to brute force these
> days.
>
> I don't know how you don't see how this is trivial to do.
> A teenager can learn to download hashcat, all that is missing from this right
> now is some python
> script to get the encrypted shared secret from a running p9sk1 server. All
> the code for doing
> this is already written in C as part of the distribution, you just have to
> only do half the
> negotiation and break out. I think you vastly underestimate the
> resourcefulness of teenagers.
>
> I had previously stated I would publish the PoC that friends of mine in
> university built
> as part of their class, I have been asked to not do that so I will not.
To be clear: _I'm_ not saying it can't be done. I don't know that it
can be done in an _afternoon_; maybe a day or two, but I honestly
don't know. I was just trying to clarify what (I think) Richard was
asking for.
- Dan C.
------------------------------------------
9fans: 9fans
Permalink:
https://9fans.topicbox.com/groups/9fans/Tde2ca2adda383a3a-Me442d3920e7aeed16791c3f8
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
