Cracking the code?

James A. Donald jamesd at
Sat Mar 3 21:06:16 EST 2007

 >> My questions are: A) is this as vulnerable as it
 >> seems at first blush? B) how many password/hex pairs
 >> would be needed to deduce the underlying algorithm?,
 >> C) If one could deduce the algorithm, could the
 >> attack be generalized so that it could be used
 >> against other enterprises that use the same software?
 >> (It is very(!) widely deployed), and D) am I missing
 >> something in my thinking?

 > A) yes it is vulnerable. B) none - it would take no
 > time to reverse engineer the entire algorithm out of
 > the executable. C) yes of course. D) just how bad this
 > is.

  Concerning B:  If the implementors of the system had
half a brain, they probably did something reasonable to
generate the hex, such as hashing the password with a
large secret, in which case no number of password hex
pairs will reveal the algorithm.

By and large, security systems that are covered by an
NDA are covered by an NDA because they are not very
good, and the seller of the system intends to send
anyone to jail who widely publicizes the fact that they
are not very good.

Approach with care.

          James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list