Page 1 of 1
DESFingerprint question
Posted: Wed Nov 05, 2003 3:53 am
by PB
I don't know if this is a bug or not, but check out these results:
Debug DESFingerprint("password","key") ; Returns keZqlq1fzdLxy
Debug DESFingerprint("password","test") ; Returns teobtLiiGEOk
Debug DESFingerprint("password","hmm") ; Returns hmNjoJWFxoXj2
Notice how the first two characters of the results are the actual first two
characters from the keys themselves? Is that normal for this encryption?
Doesn't seem very secure to me, so I've had to use this instead:
Debug Mid(DESFingerprint("password","key"),3,11)
Comments?
Posted: Wed Nov 05, 2003 9:57 am
by Fred
It's the crypt algorythm which works that way. It's the basic encryption shceme for linux password, so I bet it's rather secure
. The 'salt' is on 2 character, you're right I should mention it in the docs.
take a look here it use the same crypt algo:
http://www.unc.edu/~vimal/numberTwo.htm
If you remove it from the key, how would you check again your password to see if it's the right one ? The salt is just here to break a predictable encryption routine.
When you check you will ask for the user password and then run again the DES fingerprint routine with the same salt (you will get the salt from the stored fingerprint) and compare the 2 fingerprints.
Posted: Thu Nov 06, 2003 4:39 am
by PB
> If you remove it from the key, how would you check again your
> password to see if it's the right one ?
The passwords I need are one-way anyway -- I don't need to reverse
them, so it doesn't matter if I crop off the first 2 characters.
Posted: Thu Nov 06, 2003 12:00 pm
by Fred
You can't reverse them, that's not the problem
. You need to use always the same fixed salt then.
Posted: Fri Nov 07, 2003 4:28 am
by PB
> You can't reverse them, that's not the problem
Oops, I see what you mean now.
> You need to use always the same fixed salt then.
That's what I'm doing.
Posted: Thu Feb 01, 2007 8:39 pm
by ricardo
Maybe i don't understand something, see my code
Code: Select all
Password$ = DESFingerprint("password","myspecialkey")
Debug Password$
;Returns myAjnPmbdo5wY
Password$ = DESFingerprint("password","my")
Debug Password$
;Returns myAjnPmbdo5wY
It just takes the 2 first chars in the key, and those chars are visible.
myAjnPmbdo5wY
So the if someone uses the 2 chars that are visible, they have my key???
Posted: Thu Feb 01, 2007 8:59 pm
by PB
Weird! Is that normal? Doesn't seem secure at all!
Posted: Thu Feb 01, 2007 9:10 pm
by ricardo
PB wrote: Weird! Is that normal? Doesn't seem secure at all!
I tried with your own example.
Code: Select all
Debug DESFingerprint("password","key") ; Returns keZqlq1fzdLxy
Debug DESFingerprint("password","test") ; Returns teobtLiiGEOk
Debug DESFingerprint("password","hmm") ; Returns hmNjoJWFxoXj2
;Now we just let the password be 2 letters long, AND RETURN THE SAME!!!
Debug DESFingerprint("password","ke") ; Returns keZqlq1fzdLxy
Debug DESFingerprint("password","te") ; Returns teobtLiiGEOk
Debug DESFingerprint("password","hm") ; Returns hmNjoJWFxoXj2
Just use the 2 first letters as password and even make it visible!!
Im lossing something or its a bug?
Posted: Thu Feb 01, 2007 10:06 pm
by Froggerprogger
It's all OK with it. The DES is a feistel cipher running internally for multiple (16) rounds. Therefore a roundkey is used which is generated for each round from the second parameter.
Therefore the password itself has to be passed in the first parameter, so.e.g.
Code: Select all
Debug DESFingerprint("password","aa")
Debug DESFingerprint("passwor","aa")
Debug DESFingerprint("passwore","aa")
Debug DESFingerprint("passworf","aa")
give totally different results, though the same key aa is used.
But there is one disadvantage in always using the same key:
If User1 and User2 do have the same password and they are encrypted with always the same key "aa" their DES would be exactly the same.
Therefore it is more diffus to generate the 2-letter-seed for the roundkeys from the username, e.g. by the following:
Code: Select all
user1.s = "User1"
user2.s = "User2"
password1.s = "samepass"
password2.s = "samepass"
;- 1
Debug DESFingerprint(password1, "AA")
Debug DESFingerprint(password2, "AA")
Debug "Of course they look the same, because the same key is used for the same passwords."
;- 2
Debug "Now generate a key for usernames with a length from 3 to 12 letters:"
key1.s = Mid(DESFingerprint(user1, user1), Len(user1), 2)
Debug key1
key2.s = Mid(DESFingerprint(user2, user2), Len(user2), 2)
Debug key2
Debug "And do the DES for (same) password and key"
des1.s = DESFingerprint(user1, key1)
Debug des1
des2.s = DESFingerprint(user2, key2)
Debug des2
Debug "Now they look totally different, though the same password is used."