FAQ Topic - How can I prevent access to a web page by using javascript? (2010-05-09)
in [JavaScript]
|
Prev: THE LAST ONLINE CASINO SECURITY LINE
Next: FAQ Topic - How can I prevent access to a web page by using javascript?(2010-05-09)
From: Johannes Baagoe on 13 May 2010 11:40 Ry Nohryb : [...] > var stat= document.getElementById('idStatus') || > document.body.appendChild(document.createElement('pre')); [...] > stat.innerHTML= [n, "[ "+ vector+ " ]", key]; [...] Any particular reason why you do it in a browser ? I would have gone straight to standalone v8. -- Johannes
From: Ry Nohryb on 13 May 2010 11:41 On May 13, 5:25 pm, Johannes Baagoe <baa...(a)baagoe.com> wrote: > Ry Nohryb : > > > Coov,***** This, I agree, is no real security :) > > Well done ! > > Now, what about the real password ? Shall I post it, or does anyone want > more time to try ? How long is the other pwd :-) ? I can test them @ 180 KHz on a single Core2, in Chrome. But there's still the question of how to know when to stop, if you hadn't given me the .substring(0,5) ==== "*****" hint ? -- Jorge.
From: Ry Nohryb on 13 May 2010 11:46 On May 13, 5:40 pm, Johannes Baagoe <baa...(a)baagoe.com> wrote: > Ry Nohryb : > > [...] > > > var stat= document.getElementById('idStatus') || > > document.body.appendChild(document.createElement('pre')); > > [...] > > > stat.innerHTML= [n, "[ "+ vector+ " ]", key]; > > [...] > > Any particular reason why you do it in a browser ? I would have gone > straight to standalone v8. It's easier, much more convenient: you just navigate to the page, press cmd-I, paste my code and hit enter... And in Chrome, if you open a second tab and do the same but choosing a different vector to start from (e.g. [31,31,31,31]), it will run in parallel in the second core (if on a Core2). And if you've got 4 cores... open 4 tabs, and so on. -- Jorge.
From: Johannes Baagoe on 13 May 2010 12:02 Ry Nohryb : >Johannes Baagoe : >> Now, what about the real password ? Shall I post it, or does anyone >> want more time to try ? > How long is the other pwd :-) ? 8 chars - rather too short for serious use, but probably long enough here, especially if you crack in javascript. Chrome's v8 is astonishingly fast, but still much slower than C or asm, of course. > I can test them @ 180 KHz on a single Core2, in Chrome. That makes 62^8 / 180000 seconds, more than 38 years. Of course, you may be lucky and hit the right combination in the first seconds, but I wouldn't bet on it :) > But there's still the question of how to know when to > stop, if you hadn't given me the .substring(0,5) ==== "*****" hint ? Well, in most real cases, the plaintext contains well-known parts, e.g. markup. And / or the letters have a frequency that is not too far from the average for the language. Etc. Those are reasonably safe assumptions for the enemy, and there is not much you can do about it. So you don't give much away by acknowledging the obvious in the code, and it provides a sanity check allowing you to put up a helpful "Wrong password" message instead of God knows what comes out of a wrong decryption. AES is supposed to be resistant to any known plaintext attack, anyway. -- Johannes
From: Johannes Baagoe on 13 May 2010 13:17
Ry Nohryb : > there's still the question of how to know when to stop, if you hadn't > given me the .substring(0,5) ==== "*****" hint ? Suppose the very worst case : you know absolutely nothing about the plaintext, except that it is supposed to be read and understood by humans. What simple property would still quite decisively set it apart from the decryption with a wrong key ? How could you test that property by program ? -- Johannes |