Re: bo2k cryptography
[EMAIL PROTECTED] wrote: The authors have announced and fixed one bug... Here's the details of that one: http://www.securityfocus.com/templates/archive.pike?list=1date=1999-08-1[EMAIL PROTECTED] -- Forwarded message -- Date: Sun, 01 Aug 1999 21:29:40 -0500 From: Irwan Amir Widjaja [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: bo2k plugins Hi, I recently (July 31st) discovered that the CAST-256 plugin v2.2 which allows any user to connect to any CAST256 server with any password. After reporting the bug to Daniel (the author), he fixed the plugin within a few hours and found that the problem lied within Maw~'s MD5 module, which he used for his plugin (Dan later found that MAW~'s IDEA plugin has the same flaw). This is obviously a very big security risk for administrators who use bo2k as a legit remote administration tool (as opposed to a 'cracking hacking' tool). Currently CAST-256 and IDEA are the only strong encryption plugins which are internationally available for bo2k (the only ones I'm aware of at least). There were over 1000 downloads of the faulty CAST256 plugin alone. Both of these plugins have been updated by their authors. Sincerely, Amir
Re: bo2k cryptography
The authors have announced and fixed one bug where the keys generated were always the same. Full scrutiny would be advisable before deployment. Bluefish wrote: I've received some questions by email which are beyond my ability to answer. The questions are about the cryptographic strength of the plugin for bo2k (3DES IIRC, see www.bo2k.com and www.cdc.com, down once in a while it seems). If anyone don't know what bo2k is, it's a remote control utility which has caused some discussions regarding ethics which are off topic here... Basicly I wonder if there is any evaluation of how strong the encryption is. I'm aware that that 168 bit is concidered "NSA-secure" and that 3DES is concidered secure, but what about -- 3DES algorithm used correctly? -- Key generation: Good PRNG, Bad PRNG, Good Hash, Bad Hash? And any other subject which might come into mind. //blue
