[Waste-public] WASTE vulnerability
Status: Beta
Brought to you by:
sh4rd
From: Andrew A. G. <sup...@fr...> - 2003-06-15 18:45:27
|
It looks like I've found a possible exploitable bug in the WASTE code. The private key uses a set ciphertext to verify the password. It seems like knowing what the object is before you try decrypting it would aid any potential crackers. I propose that we change this either to: 1.) Generate random text and calculate the MD5sum. then(); or: 2.) Calculate the MD5sum of the private key. then(); then() { Encrypt both using the same Blowfish algorithm the WASTE currently uses. Upon client start, ask for a password and decrypt. Calculate the MD5sum. If they match, continue. } -- |Andrew A. Gill |I posted to Silent-Tristero and| |<sup...@fr...> |all I got was this stupid sig! | |alt.tv.simpsons CBG-FAQ author | | | (Report all obscene mail to Le Maitre Pots)| |Nothing here yet: <http://www.needsfoodbadly.com> Temporary sig: -- What'dya think, sirs? |