Check out the new USENIX Web site. next up previous
Next: Passwords of 4 Characters Up: Retrieval of Passwords Previous: Retrieval of Passwords

Password Decoding Details

The password is set by the legitimate user with the Security application. The maximum length of the ASCII password is 31 characters. Regardless of the length of the ASCII password, the resultant encoded block is always 32 bytes. Two methods are used to encode the ASCII password, depending on its length. For passwords of four characters or fewer, an index is calculated based on the length of the password and the string is XORed against a 32-byte constant block. For passwords of more than four characters, the string is padded to 32 bytes and run through four rounds of a function that XORs against a 64-byte constant block. By understanding the encoding schema, it is possible to essentially run the routines in reverse to decode the password.

Figure 2: Structure sent during the HotSync process containing encoded password block
\begin{figure}
\footnotesize
\begin{verbatim}
struct {
UInt8 header[4];
...
...userLen+1];
UInt8 password[passwordLen+1];
};\end{verbatim}
\end{figure}

The Palm desktop software makes use of the Serial Link Protocol (SLP) to transfer information between itself and the Palm device. Each SLP packet consists of a packet header, client data of variable size, and a packet footer [20]. During the HotSync negotiation process, one particular SLP packet's client data consists of a structure which contains the encoded password block (Figure 2).

Subsections
next up previous
Next: Passwords of 4 Characters Up: Retrieval of Passwords Previous: Retrieval of Passwords
Kingpin
2001-05-09