|
|
|
Joined: Jan 2004
Posts: 2,127
Hoopy frood
|
OP
Hoopy frood
Joined: Jan 2004
Posts: 2,127 |
The salt *parameter* is a text string, yes. Rather than having parameters be &binvars, my list of improvements had previously suggested a switch where the key and salt/iv parameters both be seen as hex instead of UTF8 text. I was not asking here for it to accept a &binvar parameter, I'm referring to how the 64-bit salt value seen in the string's header at byte positions 9-16 should be handled internally as that same 64-bit value.
Using the 's' switch is just overriding the effect of how the 64bit salt is randomly created, and using a salt parameter shorter than 8 is no different than a random salt that happened to generate 0x00 for the 8th byte. $decode can always decrypt without using the 's' switch because the 64bit salt created by the 's' salt-parameter is stored there, and $decode has no way of knowing whether that salt was generated randomly or by user input. If 1 or more of the final bytes of the 64bit salt is the 0x00 byte, then it should still be part of the 8-byte 64-bit value, the same as the 0x00 would be if it were randomly generated.
The random salt has always been created as a binary value, where each of the 8 bytes has a 1/256 chance of being a 0x00 byte. 1 out of every 32.4 64-bit random values has at least one 0x00 byte in it, and they're being hashed differently than other programs would expect. As I've seen described at the link I pasted, the method of combining the salt and password involves a hash function where the password can be of variable length, but the salt is a fixed length of 8. By not including the trailing 0x00's padded to the end of user-input salts, it creates incompatible hashes due to a not=8 length input being combined with the passphrase as input to a hash function which generates the IV and the salted-key.
In addition to being incompatible, this behavior of chopping at the 1st 0x00 byte is happening for the default generating of random 64-bit salts, and there it's causing many messages with unique 64bit salts and the same key parameter to be encrypted identically, only differing by having the 'unique' salt stored in the encrypted string's header. In addition to being incompatible with the test vectors, this is contrary to the intent of what a random salt should be doing.
By having a 64-bit salt combined with the key, it's supposed to allow somewhere in the neighborhood of 2^64 different salted-keys being generated from the same passphrase key+salt. 1 out of every 256 random salts has the 1st byte of the 64bit salt randomly generated as the 0x00 byte. By truncating the random salt at the first occurrence of the 0x00 byte, this group of random salts has 2^56 members in it, and they're all hashed by combining the passphrase with the $null string instead of combining the passphrase with the 8-byte value shown in the header as bytes 9-16. The same thing is happening to other groups of random salts which have 2^48 members, 2^40 members, etc. Instead of the 'birthday paradox' causing a random 64bit salt to have a 50% chance of being duplicated in 4 billion messages, the example showed truncated duplicates were happening over 100 times in 25k messages.
At first glance, a lot of these strings appear different, but that's only because of containing a unique salt in their header, which sometimes is mostly ignored. In this example, the "+++++++++" is where most of the truncated 64bit salt is stored in the header. The +'s can be replaced with any other mime character and it has no effect on the decryption.
//echo -a $decode(U2FsdGVkX18A+++++++++0rIX3dSCYYa216ecXj5pkL9ki5Fa+iJR2jmd2mPUIjP,mc,key)
I'm anticipating the salt parameter should be handled the way the IV parameter and the randomly generated IV's are being handled internally.
$encode(message,mcir,key,iv) vs $encode(message,mcs ,key,salt)
The IV parameter shorter than 8 is being padded to length 8 with 0x00's and stored in the header, the same as done with the short salt parameter. By allowing shorter than length 8 IV parameters, this allows additional IV's to be created which otherwise could not be created from a text string. When the 1st byte of a random generated IV is 0x00 and is followed by other non-0x00 bytes, it's not being used as if the IV were entirely 0x00's.
Other programs seeing 0x00's in the 64bit salt, regardless how they were generated randomly or by user input, would be generating completely different salted-keys and IV out of hashing the passphrase and salt together. If there is a reason that $encode and $decode can't internally handle 64bit salts containing the 0x00 byte, then $encode can retain compatibility with the test vectors by not creating the 3.1% of random 64bit values that contain the 0x00 byte, using the method in my 'randsalt' alias where it generates 8 different random numbers from the range 1-255. If 0x00's would no longer be allowed in the 64bit salt, this also would mean the salt parameter would need to go back to requiring the length of the salt being exactly 8 bytes. However this would still retain incompatibility with how other programs would occasionally be generating random 64bit salts containing 0x00's.
|
|
|
Entire Thread
|
Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
07/12/17 07:46 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
17/12/17 09:03 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
17/12/17 12:30 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
17/12/17 05:22 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
18/12/17 02:05 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
18/12/17 05:29 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
24/12/17 06:33 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
29/12/17 10:18 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
05/01/18 04:26 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
07/01/18 05:34 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
06/03/19 10:07 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
21/03/19 09:51 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
28/03/19 09:59 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
29/03/19 11:51 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
12/04/19 04:58 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
12/04/19 06:39 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
13/04/19 08:02 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Raccoon
|
13/04/19 11:16 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
13/04/19 11:46 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
14/04/19 12:00 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
14/04/19 10:59 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
25/04/19 06:11 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
27/04/19 10:22 AM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
Khaled
|
29/03/19 12:16 PM
|
Re: Invalid key lengths in $encode(data,<e[l]|cl>,key)
|
maroon
|
31/03/19 10:57 PM
|
|
|
|
|
|
|