Top-Secret Encryption



  • Has anyone ever had this happen to them?

    I am in charge of "Enterprise systems" in the company I work for. This includes things like our retail POS systems.

    We use one particular vendor who'd recently gotten a contract for a large computer manufacturer with a "buy direct" business model.

    While working on upgrading a few test machines to their latest and greatest release, I encountered something interesting - encoded passwords for the admin account. Great! This means it's a little more secure, right?

    I didn't want to use the default password, so I changed it.. then it didn't work. I looked in the db and found it was written in plain text. Well that's funny.. did they forget to make their admin module encrypt the passwords?

    I had a few conversations with support and ultimately there seemed to be no workaround, gosh! it just slipped their mind I reckon!

    I decided that if I knew what they were using to encrypt the passwords, I could just write a script myself and get on with my day. I was a little shocked by the response I received:

    "I cannot give out the method for our encryption."

    Oh, so what are they doing some custom high-tech algorithm now or something?

    First they encrypt everything. Then they break their admin module so I cannot change passwords, then they tell me there's no workaround and that their encryption is top secret.. Something doesn't add up.

    Here's the encrypted password:

    `clhmA1

    When I upgraded the system, I had still been on the old version of the database, and some new tables were not present. This resulted in an SQL error which was displayed on screen. Now I know why they suddenly decided to "encrypt" their passwords.. so I took a look.. I tried a blank password..

    A1

    Hmm.. so thats funny..

    I typed "a" which became `A1

    I then type abc which became `abA1

    WTF? It's a one-level character rotation with "A1" appended at the end. That's it. That's their top-secret password encryption.

    Brilliant. That'll fool 'em! and IF THEY ASK FOR THE ALGORITHM, TELL THEM IT'S TOP SECRET!

    So now instead of having a plausible explanation for such a stupid feature, they've gone and made them selves look like a bunch of fools protecting that idiotic feature.

    CONGRATRURATION! A WINRAR IS YOU!



  • Well, at least it wasn't unsalted MD5 or SHA...



  • @morbiuswilters said:

    Well, at least it wasn't unsalted MD5 or SHA...

     

     Yeah!  I hear those have security problems!



  •  Whoohoo!

     This was cool encryption about 20 and a half century ago when Julius Ceasar used it. It's been a bit old news in the 20 centuries since though.



  •  But Caesar didn't come up with the high-tech enhancement of appending "A1" to the ciphertext.



  •  Caesar's cipher was three times the security though: 3 letter rotation instead of just one!



  • @Zemm said:

     Caesar's cipher was three times the security though: 3 letter rotation instead of just one!
     

     Nothing can beat doing ROT-13 twice.



  • @shiftyphil said:

     Nothing can beat doing ROT-13 twice.

    I call bullshit. Doing it four times is much more secure.



  • @derula said:

    @shiftyphil said:
     Nothing can beat doing ROT-13 twice.

    I call bullshit. Doing it four times is much more secure.

     

    I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.

    You provide it with an integer n.

    It then applies ROT-13 2n times.



  • @dhromed said:

    I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.

    You provide it with an integer n.

    It then applies ROT-13 2n times.

    That sounds ingenious. Is n automatically determined based on the computing power? You could use something like (pseudocode):

    int n = time(); for (i = 1; i < 10000; i++); n = time() - n;
    to find a good value for n.


  • @dhromed said:

    @derula said:

    @shiftyphil said:
     Nothing can beat doing ROT-13 twice.

    I call bullshit. Doing it four times is much more secure.

     

    I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.

    You provide it with an integer n.

    It then applies ROT-13 2n times.

     

    Didn't we just have a thread with ROT-13 jokes? Like... a week ago? Pretty sure we did.

    Stale humor is so hilarious.



  • @dhromed said:

    I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.

    You provide it with an integer n.

    It then applies ROT-13 2n times.

    Now if you can get the complexity down under O(2n), you could win some kind of Nobel prize or something.



  • @blakeyrat said:

    @dhromed said:

    @derula said:

    @shiftyphil said:
     Nothing can beat doing ROT-13 twice.

    I call bullshit. Doing it four times is much more secure.

     

    I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.

    You provide it with an integer n.

    It then applies ROT-13 2n times.

     

    Didn't we just have a thread with ROT-13 jokes? Like... a week ago? Pretty sure we did.

    Stale humor is so hilarious.

     

     

    Stale humor is great, but only if you apply that 2^n times.



  • @blakeyrat said:

    @dhromed said:

    @derula said:

    @shiftyphil said:
     Nothing can beat doing ROT-13 twice.

    I call bullshit. Doing it four times is much more secure.

     

    I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.

    You provide it with an integer n.

    It then applies ROT-13 2n times.

     

    Didn't we just have a thread with ROT-13 jokes? Like... a week ago?

    That's pretty normal for a small embedded device with no filing system.



  • @DaveK said:

    @blakeyrat said:

    @dhromed said:

    @derula said:

    @shiftyphil said:
     Nothing can beat doing ROT-13 twice.

    I call bullshit. Doing it four times is much more secure.

     

    I use an algorythm where ROT-13 strength can be varied, and as such, is scalable with an increase in computing power.

    You provide it with an integer n.

    It then applies ROT-13 2n times.

     

    Didn't we just have a thread with ROT-13 jokes? Like... a week ago?

    That's pretty normal for a small embedded device with no filing system.

     

    I like the jokes about mis


Log in to reply