Lord_Soth
March 14th, 2002, 02:37
hi guys,
First let me start by saying that I am by far not a crypto guru. I just
happened to get caught up in the need to secure a TCP session
using both authentication and encryption, and I'm slowly studying
the matter.
The situation is as follows:
There are two programs, one the client and the second is the server.
These two tiers communicate using some protocol over TCP.
The goal is to provide an authentication mechanism based on a
password/passphrase, and then have the traffic between the two
encrypted so that anyone sniffing it will not be able to figure it out.
The idea is to not only secure the traffic, but making sure only the
appropriate user can use the server (it is designed to be used by
only one person at a time).
So far, that is the problem, now to my idea, which I have no way
of judging if is even secure.
Let's take the assumption that the server knows the correct
password. For the sake of argument, it is encrypted using MD5
and stored locally on the server in some file.
We'll also assume that when the TCP connection is established,
the first command to the server should be of the following format:
PASS <encrypted authentication string>
Now, what I thought to do was that when the password is entered
by a user, it is automatically hashed using MD5 (and thus, the
entered password is not kept), and then sent to be the auth
string, BUT, after having been encrypted ITSELF, so that no1
can sniff it and try to brute force it.
How to encrypt the pass ? Well, the first obvious thought I had
was to use the hash itself to encrypt itself again, using XOR.
When my brain switched on, I realized that anything XORed
with itself becomes zeroes, so, no point there.
The solution is to add another string to it, so that the password
hash doesnt XOR with itself and give 0.
A good string to add is for example a UTC time, which is just
the seconds elapsed from epoch (in Unix).
However, if any1 were to sniff this, he would know that the first
octets are numbers, and have a pretty good estimate on the
time (since he sniffs traffic that passes right after the time was
taken from the OS). So if the padd time is for example 1000000,
it would likely be 1000001 or something of the sorts when the
traffic passes through the network. Knowing a few characters
that you can XOR the traffic with will let you find a part of the
hash, and that means reducing the number of possiblities left
by a LOT
So, after I realized THAT won't work as well, I tried to think of
a way to padd the beginning of the hash with something that
is NOT guessable.
The idea is to take the password, add the time string to it, and
use MD5 on that. What we get is a different hash, which we
cannot guess in advance (we dont know the pword).
We use say half of the chars from this new hash, we concatenate
to that our password hash, and send that over the network,
XOR encrypred with the password hash.
so for example:
password hash: e4uerhgergh1
time+password hash: th894ht4er38
we would send: th894h e4uerhgergh1 (without the space)
XORed with e4uerhgergh1 (since the XORing hash is smaller in
length, we will tile the XORing..).
The server receives this, and knows that the first 6 chars should
be dumped (we used 6 pads) and takes the rest and decrypts
them using his stored password (but making sure to start from
the 7th char of the hash).
This is just the auth part, and the hash can be used for encryption
later on.
Now the attack ideas. Since the only way to check if a correct
password has been entered is to initiate a connection, I see
little possibility that any bruteforce can be done on this model.
After all, if you cant try at least a few thousands of attempts per
second, you really can't bruteforce...
The big question is, are there any ways of cryptoanalysis that
can somehow work on the encrypted info passed to the server?
I mean, if the password is good, MD5 will give a good hash,
and using the time+pass, you really do get a padding which cannot
be guessed (or so I think hehe).
Any guru here wanna comment on this model ? sugget ways
to attack it ?
It might not be THE way I choose to do this, since I'm hoping on
using SSL or TLS, but still...
Thanks in advance, and my apologies for the long message,
Lord Soth
First let me start by saying that I am by far not a crypto guru. I just
happened to get caught up in the need to secure a TCP session
using both authentication and encryption, and I'm slowly studying
the matter.
The situation is as follows:
There are two programs, one the client and the second is the server.
These two tiers communicate using some protocol over TCP.
The goal is to provide an authentication mechanism based on a
password/passphrase, and then have the traffic between the two
encrypted so that anyone sniffing it will not be able to figure it out.
The idea is to not only secure the traffic, but making sure only the
appropriate user can use the server (it is designed to be used by
only one person at a time).
So far, that is the problem, now to my idea, which I have no way
of judging if is even secure.
Let's take the assumption that the server knows the correct
password. For the sake of argument, it is encrypted using MD5
and stored locally on the server in some file.
We'll also assume that when the TCP connection is established,
the first command to the server should be of the following format:
PASS <encrypted authentication string>
Now, what I thought to do was that when the password is entered
by a user, it is automatically hashed using MD5 (and thus, the
entered password is not kept), and then sent to be the auth
string, BUT, after having been encrypted ITSELF, so that no1
can sniff it and try to brute force it.
How to encrypt the pass ? Well, the first obvious thought I had
was to use the hash itself to encrypt itself again, using XOR.
When my brain switched on, I realized that anything XORed
with itself becomes zeroes, so, no point there.
The solution is to add another string to it, so that the password
hash doesnt XOR with itself and give 0.
A good string to add is for example a UTC time, which is just
the seconds elapsed from epoch (in Unix).
However, if any1 were to sniff this, he would know that the first
octets are numbers, and have a pretty good estimate on the
time (since he sniffs traffic that passes right after the time was
taken from the OS). So if the padd time is for example 1000000,
it would likely be 1000001 or something of the sorts when the
traffic passes through the network. Knowing a few characters
that you can XOR the traffic with will let you find a part of the
hash, and that means reducing the number of possiblities left
by a LOT
So, after I realized THAT won't work as well, I tried to think of
a way to padd the beginning of the hash with something that
is NOT guessable.
The idea is to take the password, add the time string to it, and
use MD5 on that. What we get is a different hash, which we
cannot guess in advance (we dont know the pword).
We use say half of the chars from this new hash, we concatenate
to that our password hash, and send that over the network,
XOR encrypred with the password hash.
so for example:
password hash: e4uerhgergh1
time+password hash: th894ht4er38
we would send: th894h e4uerhgergh1 (without the space)
XORed with e4uerhgergh1 (since the XORing hash is smaller in
length, we will tile the XORing..).
The server receives this, and knows that the first 6 chars should
be dumped (we used 6 pads) and takes the rest and decrypts
them using his stored password (but making sure to start from
the 7th char of the hash).
This is just the auth part, and the hash can be used for encryption
later on.
Now the attack ideas. Since the only way to check if a correct
password has been entered is to initiate a connection, I see
little possibility that any bruteforce can be done on this model.
After all, if you cant try at least a few thousands of attempts per
second, you really can't bruteforce...
The big question is, are there any ways of cryptoanalysis that
can somehow work on the encrypted info passed to the server?
I mean, if the password is good, MD5 will give a good hash,
and using the time+pass, you really do get a padding which cannot
be guessed (or so I think hehe).
Any guru here wanna comment on this model ? sugget ways
to attack it ?
It might not be THE way I choose to do this, since I'm hoping on
using SSL or TLS, but still...
Thanks in advance, and my apologies for the long message,
Lord Soth