[Info-vax] What to do with my VAX.....

Arne Vajhøj arne at vajhoej.dk
Fri Nov 20 19:34:40 EST 2020 

On 11/20/2020 10:19 AM, seasoned_geek wrote:
> On Sunday, November 15, 2020 at 7:08:10 PM UTC-6, Alexander Schreiber
> wrote:
>> Good current algorithms like AES have this property - brute force
>> cracking (trying all keys) takes an entirely uselessly long amount
>> of time and there are currently no know weaknesses that reduce this
>> time to something useful

> The big business of CC fraud has simply backed into the answer they
> need like mathematicians back into answers to problems they cannot
> solve. Instead of saying "I know the SALT and I know it is an XML
> packet, but I can't solve for X (the password)" like most gullible
> enough to believe encryption is secure they appear (at least in my
> thinking) to have taken the pragmatic approach.
> 
> 1) "<?xml version=" is at the beginning of every packet I'm
> interested in. 2) I know the rules for the passwords so it is not
> every permutation of 32 characters, rather it is a significantly
> limited subset. Most will be the minimum 8 and definitely under 20
> because people hate typing as well as coming up with new passwords.
> Many people end their passwords with "_n" where n is a number because
> far too many financial institutions make them change it every month
> or 60 days so this way they can just increment a number. 3) If I can
> find a time frame where the generated SALT is a lot less random I can
> build a rather complete database over time. 4) If I happen to be one
> of these bot-nets:
> https://themerkle.com/top-4-largest-botnets-to-date/   my only real
> problem is the storage I/O. 6+ million bots generating 100 entries
> per hour each will fill a 32TB NAS up pretty fast. I will need 20-30
> of them scattered around the globe. Gee! I guess I will buy them with
> a stolen CC or 40!
> 
> Brute force has gone off-line and high tech.

This not how encryption is used today.

Symmetric encryption do not use salt but use initialization vector (IV),
but let us ignore that terminology matter.

What you basically is saying is that encryption:
* with known plain text (XML prologue) in first block
* an IV with very limited range
* a key that is deterministically derived from only
   a human picked weak password
can be brute forced.

It most certainly can. It may not even be necessary to tabulate it.

For 8 character passwords it is really a 48 bit encryption
aka a lot weaker than DES from the 1970's. And a limited
range IV can not prevent tabulation - and can certainly
not prevent direct brute force.

But it has not much to do with how encryption is
used today.

The XML prologue is usually not the first block as it
is preceded with various headers.

IV is generated with a pseudo random number generator
and have full range.

Key is either generated with a cryptographic secure pseudo
random number generator and exchanged via asymmetric encryption
or derived from a long passphrase to ensure full
128/192/256 bit entropy.

With a full range 256 bit IV and a key with 128/192/256 bit
entropy then tabulation will not work.

Arne

More information about the Info-vax mailing list