Check out the new USENIX Web site. next up previous
Next: Passwords Greater Than 4 Up: Password Decoding Details Previous: Password Decoding Details

Passwords of 4 Characters or Less:

By comparing the encoded password blocks of various short passwords (example in Figure 3), it was determined that a 32-byte constant (Figure 4) was simply being XORed against the ASCII password block.

$A$ = ASCII password
$B$ = 32-byte constant block
$C$ = encoded password block

The starting index, $j$, into the constant block where the XOR operation should begin is calculated by: 

j = (A[0] + strlen(A)) % 32;
The encoded password block is then created: 

for (i = 0; i < 32; ++i, ++j)
{
   // wrap around to beginning
   if (j == 32) j = 0;

   C[i] = A[i] XOR B[j];
}

Figure 3: Encoded password block of ASCII password `test'
\begin{figure} \footnotesize \begin{verbatim} 56 8C D2 3E 99 4B 0F 88 09 02... ... 0C 08 13 5A 32 15 13 5D D2 17 EA D3 B5 DF 55 63\end{verbatim} \end{figure}

Figure 4: 32-byte constant block for use with passwords of length 4 characters or less
\begin{figure} \footnotesize \begin{verbatim} 09 02 13 45 07 04 13 44 0C 08... ... D2 17 EA D3 B5 DF 55 63 22 E9 A1 4A 99 4B 0F 88\end{verbatim} \end{figure}


Kingpin
2001-05-09