arxeia fotia?

[armaos]

On Thu, 19 Feb 2004 11:48:29 +0200
"Nicholas K. Dionysopoulos" <nikosdion at yahoo.gr> wrote:

> Êáé íáé êáé ü÷é. Áð' üôé èõìÜìáé õðÜñ÷åé Ýíá ðñïãñáììáôÜêé ðïõ ëÝãåôáé John 
> The Ripper êáé ôï ïðïßï ðñïðáèåß ìå Brute Force Attacks íá óðÜóåé êÜðïéá 
> passwords. ÂÝâáéá åßíáé ðéï áñãü êé áð' ôï èÜíáôï :) ¸íá êÜðùò ðéï åîåëéãìÝíï 
> ðñïãñáììáôÜêé åßíáé ôï L0phtCrack (ðïõ ôñÝ÷åé óå Windows) êáé ôï ïðïßï êÜíåé 
> ôçí ßäéá äïõëåéÜ, áëëÜ ìå ðéï Ýîõðíï áëãüñéèìï.
> 
> Åí ïëßãïéò : Áí Ý÷åéò ÷ñüíï êáé õðïëïãéóôéêÞ éó÷ý ôüôå íáé, ìðïñåßò íá óðÜóåéò 
> ôïõò êùäéêïýò.
> 
> Ôï èÝìá åßíáé, áîßæåé íá äáðáíÞóåéò ôüóï ÷ñüíï ãéá íá óðÜóåéò ôïí êùäéêü åíüò 
> óõóôÞìáôïò; Hacker only knows...


Kalhspera,

Na 3eka8arisoume 2 pragmatakia gia to 8ema:

1) Den boreis na "spaseis" tpt.  O algori8mos pou kanei to encoding tou password einai one way hash function ara den mas parexei mhxanismous na "pame pros ta pisw".  (parathrhse edw oti lew "kanei encode" kai oxi "encrypt" - oso periergo kai na sou akougetai auto sto original implementation tou password suite kaloume thn crypt pou orizei tous xarakthres tou keimenou mas se null kai to password mas einai to kleidi (auto einai encoding function oxi encryption - to prospernoume omws adiafora kai glytwnoume to flame)

2) Yphrxe kai yparxei global anagh sto systhma na diabazetai to passwd mas apo to symban. Mhn 3exname oti ekei mesa yparxei to name, group kai user IDs, pragmata dld pou apaiteitai na boroun na diabazoun apps tou userspace mas. Akoma kai gia to password field ena amoiro xscreensaver pou kleidwse to desktop tou user DEN 8a borouse na kanei auth kai na to 3ekleidwsei an den diabaze to password field. (sta synxrona implementations bebaia tou shadow suite xwnoume ena shadow group pou apaiteitai na diabazei, (to shadow file this time) kanoume sgid apps s'auto kai kleinoume tous allous ap'e3w). 

3)Pame twra sto omorfa apps pou aneferes pou "spane" ta encrypted (encoded for me) passwords. Gia allh mia fora loipon den "spane" tpt.  :-)  Auto pou kanoun einai na pernoun ena pool of known words kai na ta kanoun encode me ola ta pi8ana salts (8ymomaste edw oti to encoding procedure mazeuei ena 2 char string apo to pool tou [a-zA-Z0-9./]  gia na kanei to hashed string perturb (kapoioi cryptokammenoi to lene agitate) me 4096 diaforetikous tropous. (8ymomaste edw oti pio panw o kalos mas filos John/Jack the ripper taise tis lektikes anafores tou se kati pou ekane encode me ola ta pi8ana salts - twra 3eroume giati, right?  :-)  To mono pou exei na kanei loipon einai na syggrinei oti 3erase to encoding tou me oti yparxei hdh encoded sto file  pou einai globally readable. Opou brei match paei pisw sto original string pou edwse to hashed string kai voila, molhs brhke ena password. H diadikasia einai pio konta sto password guessing/matching para sto decrypting/spasimo.

4) Kapoia stigmh argotera bebaia 8a er8oun ta gnu extensions sthn crypt apo thn panemorfh mas glibc pou 8a metaferei to max output sta 34 bytes (MD5 is now used) kai 8a alla3ei to scope twn significant bits se oloklhro to key this time.

Elpizw na boh8hsan auta na dw8ei mia pio oloklhrwmenh eikona kai 8a xarw na boh8hsw se crypto-anhsyxies se private email h' mesw listas. 

Na pernate kala

A. Armaos