--
>> My questions are: A) is this as vulnerable as it
>> seems at first blush? B) how many password/hex pairs
>> would be needed to deduce the underlying algorithm?,
>> C) If one could deduce the algorithm, could the
>> attack be generalized so that it could be used
>> against other enterprises that use the same software?
>> (It is very(!) widely deployed), and D) am I missing
>> something in my thinking?
> A) yes it is vulnerable. B) none - it would take no
> time to reverse engineer the entire algorithm out of
> the executable. C) yes of course. D) just how bad this
> is.
Concerning B: If the implementors of the system had
half a brain, they probably did something reasonable to
generate the hex, such as hashing the password with a
large secret, in which case no number of password hex
pairs will reveal the algorithm.
By and large, security systems that are covered by an
NDA are covered by an NDA because they are not very
good, and the seller of the system intends to send
anyone to jail who widely publicizes the fact that they
are not very good.
Approach with care.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
MGjeTFQKB0Wa89CvalWg8qz/BAWRAwDEUL0m4Kkn
4VpuVXjmJfOnK1OLnn3wsm24Y9ES8GObzFkOVY4XV
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
