On Sat, May 11, 2024 at 4:17 PM Jacob Moody <mo...@posixcafe.org> wrote: > On 5/11/24 14:59, Dan Cross wrote: > > On Sat, May 11, 2024 at 3:36 PM hiro <23h...@gmail.com> wrote: > >>> explanation of dp9ik, which while useful, only > >>> addresses what (I believe) Richard was referring to in passing, simply > >>> noting the small key size of DES and how the shared secret is > >>> vulnerable to dictionary attacks. > >> > >> i don't remember what richard was mentioning, but the small key size > >> wasn't the only issue, the second issue is that this can be done > >> completely offline. why do you say "only", what do you think is > >> missing that should have been documented in addition to that? > > > > Probably how a random teenager could break it in an afternoon. :-) > > If we agree that: > > 1) p9sk1 allows the shared secret to be brute-forced offline. > 2) The average consumer machine is fast enough to make a large amount of > attempts in a short time, > in other words triple DES is not computationally hard to brute force these > days. > > I don't know how you don't see how this is trivial to do. > A teenager can learn to download hashcat, all that is missing from this right > now is some python > script to get the encrypted shared secret from a running p9sk1 server. All > the code for doing > this is already written in C as part of the distribution, you just have to > only do half the > negotiation and break out. I think you vastly underestimate the > resourcefulness of teenagers. > > I had previously stated I would publish the PoC that friends of mine in > university built > as part of their class, I have been asked to not do that so I will not.
To be clear: _I'm_ not saying it can't be done. I don't know that it can be done in an _afternoon_; maybe a day or two, but I honestly don't know. I was just trying to clarify what (I think) Richard was asking for. - Dan C. ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/Tde2ca2adda383a3a-Me442d3920e7aeed16791c3f8 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription