Date: Fri, 19 Feb 1999 13:51:39 -0500 (EST) From: ET LoWNOISE To: schneier@counterpane.com Cc: PacketStorm@Genocide2600.com Subject: PADLOCK-IT and TwoFish Hi, 2 months ago, i deliver this advisory to bugtraq... but now i have found that this program is more popular than ever because have been showed on WIRED magazine like one of the best prodcuts ever to manage passwords. So i think people need to know the truth. [LOWNOISE] Advisory: et@cyberspace.org by ET. PADLOCK-IT 1.01 =============== DISCLAIMER: Learn, there are dark things behind a nice GUI. Well, maybe this isnt a topic for bugtraq but many people is using this kind of programs to protect all kind of passwords. (Dial-up passwords, UNIX accounts, etc etc etc..............) This is just a quick note about this product. Im going deeper later. PRODUCT: PADLOCK-IT Version 1.01 1998 1998 WinWare Inc. 1998 eEye Digital Security Team <---- Hmmmm!! http://www.eEye.com PROBLEM: Poor Implementation of TWOFISH (Counterpane Systems) encryption DESCRIPTION: PadLock-it is a utility program for Windows 95, 98 and NT. It remembers all your passwords in a single, easy to use interface. It protects your passwords using encryption and fixes many loop holes in windows applications password management. Well, im not a guru on cryptoanalisys but theres something wrong about PadLock-it. I agree that it has a really cool GUI and its easy to use. But its opening new problems on password managment. First, remeber that now all the passwords will be encrypted on 1 file called Padlock-it.dat so any person can grab this file and analize it using just a text editor. Padlock-it.dat (EXAMPLE) ========================= [General] Version=1.01 MP=588b1c441a [Options] TrayIcon=1 Confirm=0 Startup=1 Quick Tips=1 [Accounts] prueba=4a0e54f8^Ä^Å4a0e54f8625f prueba1=5d2bd3e4e7^Ä^Å4a169a9f8901 prueba2=4a169a9f^Ä^Å3db126d6f1fc83a4 enter=588b1c441a^Ä^Å588b1c441a noise=5554c02c0b^Ä^Å5554c02c0b -------------------------------------------------- First problem: THEY ARE NOT USING A RANDOM SEED BETWEEN USERID AND HIS PASSWORD example: prueba = 4a169a9f__ 4a169a9f8900 root root98 If there are some weak passwords: U can guess what is the weak password for a especified USER Remember that is easy to have some USER IDs just because other programs will give u that kind of info. Second problem: THEY ARE NOT USING A RANDOM SEED BETWEEN ACCOUNTS example: prueba1= 5d2bd3e4e7__ 4a169a9f8901 admin root98 So here is more help to have an idea to find the passwords Third problem: U CAN KNOW THE FIRST LETTER (and sometimes the SECOND too) OF ANY USER ID AND THE PASSWORD (THIS INCLUDE THE MASTER PASSWORD MP= "Take a look at the Padlock-it.dat (EXAMPLE)") Weell there is no random seed (IMPORTANT PART ON ANY CRYPTO-THING) So here is it a very little table: 1st letter encrypted a 5d b 5f c 5e d 59 e 58 f 5a g 5b h 51 i 50 j 52 k 53 l 57 m 56 n 55 o 54 p 48 q 49 r 4a s 4b t 4d u 4c v 4f w 4e x 46 y 47 z 44 Another problem: U KNOW HOW MANY CHARACTERS ARE IN THE USER ID AND THE PASSWORD AND THE MASTER PASSWORD. Count the characters on the encrypted password, divide it by 2. example: prueba=4a0e54f8^Ä^Å4a0e54f8625f r*** r***** prueba1=5d2bd3e4e7^Ä^Å4a169a9f8901 a**** r***** Another problem: THEY SAY (On HELP): I can only enter 5 characters for my master password, why? The evaluation version of PadLock-it^Ù is limited to 40 bit encryption, only US full versions of PadLock-it^Ù support 128 bit encryption, which translates into 16 character passwords. SO U KNOW THE FIRST LETTER OF THE MP SO A BRUTE FORCE ATTACK IS EASY TO DO TO FIND THE NEXT 4 CHARACTERS. Another problem: THEY SAY (On HELP): I forgot my master password, can I get it back? No, PadLock-it uses a state of the art security that is unbreakable, no one can get your master password. Not even the developers of PadLock-it. WHEN U ENTER TO EDIT AN ACCOUNT PADLOCK DECRYPT THE USERID AND IT SHOW YOU ON CLEAR TEXT. THE MP USES THE SAME TWOFISH ENCRYPTION WITHOUT SEED LIKE THE ACCOUNTS: [General] Version=1.01 MP=588b1c441a "guess the password" [Accounts] enter=588b1c441a^Ä^Å588b1c441a "enter" "enter" THE MP JUST WORK TO AUTENTICATE YOU, IT HAS NO JOB ON LATER ENCRYPTION. CONCLUSION: IF THEY DECRYPT THE USER ID, THEY CAN BREAK THE MP.!!!!! NOTE: THEY SAY: What Encryption algorythm does PadLock-it^Ù use? PadLock-it^Ù uses the latest release of Twofish encryption from Counterpane Systems. BRUCE SCHNEIER is the president of Counterpane Systems, the author of Applied Cryptography (John Wiley & Sons, 1994 & 1996), and the developer of Blowfish and Twofish. WELL THEY ARE JUST USING THE POPULARITY OF A GREAT DUDE... Twofish its c00l... the implementation on this proggy just sucks. ================================================================ Efrain `ET` Torres LoWNOISE Colombia. et@cyberspace.org 1999 et@my.narco-goverment.sucks.co ================================================================