• Implementing MPWD

    From Ozz Nixon@1:275/362 to All on Tue Jun 19 00:24:06 2018
    Has anyone else taken the time to implement all that BinkP can be?

    I have a design question for MPWD, basically an interpretation question on matching passwords.

    Regards,
    Ozz

    --- dBridge & Rhenium
    * Origin: RVA Fido Support - ExchangeBBS.com, ModernPascal.com (1:275/362)
  • From mark lewis@1:3634/12.73 to Ozz Nixon on Wed Jun 20 12:33:12 2018
    On 2018 Jun 20 07:24:06, you wrote to All:

    Has anyone else taken the time to implement all that BinkP can be?

    not sure what you are asking...

    I have a design question for MPWD, basically an interpretation
    question on matching passwords.

    the question is fine in here but i don't know if there are any binkd maintainers in here... they're more easily found in BINKD and apparently hang out more in BINKD.RU or some such...

    there was something interesting discovered several months ago, though... in the
    CRAM-MD5 implementations, apparently only 32byte checksum strings are allowed (or used?) even though the spec allows for up to 64bytes (IIRC)... i scanned three years of binkd logs and all CRAM-MD5-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx strings are of the same length... longer ones fail... i'm not sure about shorter ones... it was discussed in one of more of BINKD, NET_DEV, SYNC_SYSOPS,
    SYNCHRONET, or SYNC_PROGRAMMING...

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... Religious error: (A)tone, (R)epent, (I)mmolate?
    ---
    * Origin: (1:3634/12.73)
  • From Ozz Nixon@1:275/362 to mark lewis on Thu Jun 21 13:10:53 2018

    the question is fine in here but i don't know if there are any binkd maintainers in here... they're more easily found in BINKD and apparently hang out more in BINKD.RU or some such...

    I will check that one out ... thanks!

    there was something interesting discovered several months ago, though...
    in the CRAM-MD5 implementations, apparently only 32byte checksum strings are allowed (or used?) even though the spec allows for up to 64bytes (IIRC)... i scanned three years of binkd logs and all CRAM-MD5-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx strings are of the same

    Not one to argue with a European on the hash algorithms, but, I just implemented CRAM-MD5 and CRAM-SHA1. Understanding what I coded, the only flaw I
    saw was when the "secret" is > 64 characters, then it switches to a 16bit algorithm, and with CRAM you double process the "secret", so I guess they mean if someone uses a 65 character or longer password for handshaking using BinkP they have reduced the accuracy down to 32bit - but, I do not know of any sysop who is willing to type in a 65+ character handshake.

    Ozz

    --- dBridge & Rhenium
    * Origin: RVA Fido Support - ExchangeBBS.com, ModernPascal.com (1:275/362)
  • From mark lewis@1:3634/12.73 to Ozz Nixon on Fri Jun 22 03:07:20 2018
    On 2018 Jun 21 13:10:52, you wrote to me:

    there was something interesting discovered several months ago,
    though... in the CRAM-MD5 implementations, apparently only 32byte
    checksum strings are allowed (or used?) even though the spec allows
    for up to 64bytes (IIRC)... i scanned three years of binkd logs and
    all CRAM-MD5-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx strings are of the same

    Not one to argue with a European on the hash algorithms, but, I just implemented CRAM-MD5 and CRAM-SHA1. Understanding what I coded, the
    only flaw I saw was when the "secret" is > 64 characters, then it
    switches to a 16bit algorithm, and with CRAM you double process the "secret", so I guess they mean if someone uses a 65 character or
    longer password for handshaking using BinkP they have reduced the
    accuracy down to 32bit - but, I do not know of any sysop who is
    willing to type in a 65+ character handshake.

    talk with rob swindell (aka digital man)... he found it, IIRC... it wasn't the length of the password, AFAIK... it was that string of x's i have up there... whatever that part is called :shrug:

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... Out of my mind. Back in five minutes.
    ---
    * Origin: (1:3634/12.73)