-- >> My questions are: A) is this as vulnerable as it >> seems at first blush? B) how many password/hex pairs >> would be needed to deduce the underlying algorithm?, >> C) If one could deduce the algorithm, could the >> attack be generalized so that it could be used >> against other enterprises that use the same software? >> (It is very(!) widely deployed), and D) am I missing >> something in my thinking?
> A) yes it is vulnerable. B) none - it would take no > time to reverse engineer the entire algorithm out of > the executable. C) yes of course. D) just how bad this > is. Concerning B: If the implementors of the system had half a brain, they probably did something reasonable to generate the hex, such as hashing the password with a large secret, in which case no number of password hex pairs will reveal the algorithm. By and large, security systems that are covered by an NDA are covered by an NDA because they are not very good, and the seller of the system intends to send anyone to jail who widely publicizes the fact that they are not very good. Approach with care. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG MGjeTFQKB0Wa89CvalWg8qz/BAWRAwDEUL0m4Kkn 4VpuVXjmJfOnK1OLnn3wsm24Y9ES8GObzFkOVY4XV --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]