Top-Secret Encryption
-
Has anyone ever had this happen to them?
I am in charge of "Enterprise systems" in the company I work for. This includes things like our retail POS systems.
We use one particular vendor who'd recently gotten a contract for a large computer manufacturer with a "buy direct" business model.
While working on upgrading a few test machines to their latest and greatest release, I encountered something interesting - encoded passwords for the admin account. Great! This means it's a little more secure, right?
I didn't want to use the default password, so I changed it.. then it didn't work. I looked in the db and found it was written in plain text. Well that's funny.. did they forget to make their admin module encrypt the passwords?
I had a few conversations with support and ultimately there seemed to be no workaround, gosh! it just slipped their mind I reckon!
I decided that if I knew what they were using to encrypt the passwords, I could just write a script myself and get on with my day. I was a little shocked by the response I received:
"I cannot give out the method for our encryption."
Oh, so what are they doing some custom high-tech algorithm now or something?
First they encrypt everything. Then they break their admin module so I cannot change passwords, then they tell me there's no workaround and that their encryption is top secret.. Something doesn't add up.
Here's the encrypted password:
`clhmA1
When I upgraded the system, I had still been on the old version of the database, and some new tables were not present. This resulted in an SQL error which was displayed on screen. Now I know why they suddenly decided to "encrypt" their passwords.. so I took a look.. I tried a blank password..
A1
Hmm.. so thats funny..
I typed "a" which became `A1
I then type abc which became `abA1
WTF? It's a one-level character rotation with "A1" appended at the end. That's it. That's their top-secret password encryption.
Brilliant. That'll fool 'em! and IF THEY ASK FOR THE ALGORITHM, TELL THEM IT'S TOP SECRET!
So now instead of having a plausible explanation for such a stupid feature, they've gone and made them selves look like a bunch of fools protecting that idiotic feature.
CONGRATRURATION! A WINRAR IS YOU!
-
Well, at least it wasn't unsalted MD5 or SHA...
-
@morbiuswilters said:
Well, at least it wasn't unsalted MD5 or SHA...
Yeah! I hear those have security problems!
-
Whoohoo!
This was cool encryption about 20 and a half century ago when Julius Ceasar used it. It's been a bit old news in the 20 centuries since though.
-
But Caesar didn't come up with the high-tech enhancement of appending "A1" to the ciphertext.
-
Caesar's cipher was three times the security though: 3 letter rotation instead of just one!
-
@Zemm said:
Caesar's cipher was three times the security though: 3 letter rotation instead of just one!
Nothing can beat doing ROT-13 twice.
-
@shiftyphil said:
Nothing can beat doing ROT-13 twice.
I call bullshit. Doing it four times is much more secure.
-
@derula said:
@shiftyphil said:
Nothing can beat doing ROT-13 twice.
I call bullshit. Doing it four times is much more secure.
I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.
You provide it with an integer n.
It then applies ROT-13 2n times.
-
@dhromed said:
I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.
You provide it with an integer n.
It then applies ROT-13 2n times.
That sounds ingenious. Is n automatically determined based on the computing power? You could use something like (pseudocode):
to find a good value for n.int n = time(); for (i = 1; i < 10000; i++); n = time() - n;
-
@dhromed said:
@derula said:
@shiftyphil said:
Nothing can beat doing ROT-13 twice.
I call bullshit. Doing it four times is much more secure.
I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.
You provide it with an integer n.
It then applies ROT-13 2n times.
Didn't we just have a thread with ROT-13 jokes? Like... a week ago? Pretty sure we did.
Stale humor is so hilarious.
-
@dhromed said:
I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.
You provide it with an integer n.
It then applies ROT-13 2n times.
Now if you can get the complexity down under O(2n), you could win some kind of Nobel prize or something.
-
@blakeyrat said:
@dhromed said:
@derula said:
@shiftyphil said:
Nothing can beat doing ROT-13 twice.
I call bullshit. Doing it four times is much more secure.
I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.
You provide it with an integer n.
It then applies ROT-13 2n times.
Didn't we just have a thread with ROT-13 jokes? Like... a week ago? Pretty sure we did.
Stale humor is so hilarious.
Stale humor is great, but only if you apply that 2^n times.
-
@blakeyrat said:
That's pretty normal for a small embedded device with no filing system.@dhromed said:
@derula said:
@shiftyphil said:
Nothing can beat doing ROT-13 twice.
I call bullshit. Doing it four times is much more secure.
I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.
You provide it with an integer n.
It then applies ROT-13 2n times.
Didn't we just have a thread with ROT-13 jokes? Like... a week ago?
-
@DaveK said:
@blakeyrat said:
That's pretty normal for a small embedded device with no filing system.@dhromed said:
@derula said:
@shiftyphil said:
Nothing can beat doing ROT-13 twice.
I call bullshit. Doing it four times is much more secure.
I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.
You provide it with an integer n.
It then applies ROT-13 2n times.
Didn't we just have a thread with ROT-13 jokes? Like... a week ago?
I like the jokes about mis