Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Win2KSecurity Advice> 1999-q4

NTSecAdvice Archives: Re: Weak Encryption in WinAce CCrypt

Re: Weak Encryption in WinAce CCrypt

NT Security Advice (maillistntsecadvice.com)
Thu, 21 Oct 1999 21:10:16 -0600

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: NT Security Advice: "SP6 is released!"
Previous message: NT Security Advice: "Re: Last weeks release: whisker (new web scanner)"

-----Original Message-----
From: Mark [mailto:markntshop.net]
Sent: Thursday, October 21, 1999 4:54 PM
To: maillistntsecadvice.com
Subject: Weak Encryption in WinAce CCrypt

I'm forwarding this message on behalf of someone who wishes to remain
anonymous. Pardon the file attachment.

Mark
http://www.ntsecurity.net

========================================================================

CCrypt (credit card data encryptor)
Uses weak encryption and a static key

Systems: Windows 9x and NT

Description

CCrypt, a utility used by shareware towards email-based registration. The
program is distributed in unison with another program - in this case, WinAce
(file compression util for Win9x and WinNT,) which isues CCRYPT to encrypt
credit card info before it is sent between you and the program distributor.
This util has a weak password encryption system because it totally relies on
the expiration date of the credit card itself.

To register WinAce, one must employ the CCrypt interface, where a user
enters their credit card number and expiration date, as well as the name on
the card. The information is then pasted into an email message and sent to
the product distributor.

NOTE: SEE ATTACHED IMAGE FILE FOR SCREEN SHOT OF THE CCRYPT INTERFACE

FACTS:

What do we know?

- The name of the sender (Usually also the name of the "Credit Card
holder")

- The information is a date.

- A common way to describe date in this software is:
YYYY + separator(" " or "-") + "Month" + separator + DD

        - The credit card has a termination date in the near future:
          Say ~within 7 years. I dont know, 7 years seems like a
more-than-reasonable
          time, We are only talking ~1500 combinations per year, perhaps 1 second
          of added computations per yearfactor.

- Any month can have a MAXIMUM of _31_ days

- There are _12_ Months

- Common letters for giving a specific date:
1234567890-abcdefghijlmnoprstuvy_,. (35 characters)

- In position 5 and 14 there COULD be a {SPACE} or a "-" character.

The problem:

If the expiration date is "1999 December-31" then we have an
_ASSUMED_ complexity of: 16^35 keys

        Worst case:
                7*2*12*2*31 = 10416 combinations
                (~ less than 2^14 combinations)
        Second to worst case:
                7*2*72*2*31 = 62496 combinations with L/S text on the first character
                in the month.
                (~ less than 2^16 combinations)

(We're talking seconds of required computational time here...)

Conclusion:

        This program is really a lousy 14 bit cipher! and some of you may
        have used it to transfer your creditcard information over the
        internet with it! What's worse, the recipient have a (fixed) key to
        decrypt your creditcard information; if this key would ever be
        compromised then ALL credit card information between you and the
        recipient will be compromised too.

        If i don't trust this; even though we have the Ciphertext (the result),
        the known plaintext (Cardholder from the Email header) and date, don't
        you have to gues the credit card number too to generate the encrypted
        ciphertext?

Ok, Suppose we do have to: *

        The credit cards numbers are 16 figures large. (4 figures are guessable)
        12 figures, that's roughly 2^41 bits. 2^41 + 2^14 = 2^55 = Less than a 56
        bit cipher = Still not secure, you will be able to crack this on your home
PC
        in a few years (or months)

        * (But we don't have to since the algorithm can be ripped out (Reverse
engineered)
          + the generated ciphertext can be "reversed" through that. Some crypto
people
          just don't get it; _Dont_ base the security (Whole or partially) on the
secrecy
          of your algorithm.)

Recommendation:
Use PGP or other common PKI crypto to safely encrypt your communications.

=====================================================================

image/jpeg attachment: cce1.jpg

Next message: NT Security Advice: "SP6 is released!"
Previous message: NT Security Advice: "Re: Last weeks release: whisker (new web scanner)"

This archive was generated by hypermail 2.0b3 on Thu Oct 21 1999 - 22:06:22 CDT