[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Cipher detection

To: Maksim.Filenko@xxxxxxxx
Subject: Re: [Full-disclosure] Cipher detection
From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 7 Apr 2011 10:02:37 -0700

> I'm trying to figure out what kind of cipher was used in this:
> 
> GGobQ2bsqd64PXVAmaDiDBg=
> 
> Looks like Base64, but it's not. The original string is:
> 
> dummy@xxxxxxxxxxx
> 
> Thanks all!


As Thor mentioned, since the ciphertext is not a multiple of a common
block cipher's block size (8 or 16 bytes), then an XOR might be in
use.  This points to either a block cipher in CFB, OFB, or similar
modes, or a stream cipher (RC4?), or some hack someone put together
that involves XORing some secret with the email address.

Your next step should be to have several different plaintexts
encrypted, then XOR away the plaintext from the ciphertext to get your
keystream for each.  If you see duplication across key streams, then
you might be looking at a bad hack or use of a cipher which reuses the
same IV for each email address, which is also a big no-no.

HTH,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Cipher detection
  - From: Maksim . Filenko

Prev by Date: Re: [Full-disclosure] Cipher detection
Next by Date: Re: [Full-disclosure] Cipher detection
Previous by thread: Re: [Full-disclosure] Cipher detection
Next by thread: Re: [Full-disclosure] Cipher detection
Index(es):
- Date
- Thread