[16937] in bugtraq
E*TRADE's encryption algorithm is XOR
daemon@ATHENA.MIT.EDU (Tim Hollebeek)
Wed Sep 27 19:16:03 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <4BC10D47D7ACD3119FA800104B1F88363E7DFD@exchange.rstcorp.com>
Date: Wed, 27 Sep 2000 14:51:18 -0400
Reply-To: Tim Hollebeek <thollebeek@CIGITAL.COM>
From: Tim Hollebeek <thollebeek@CIGITAL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Jeffrey Baker's advisory on security vulnerabilities with E*TRADE's web
interface describes the cookie encryption algorithm in terms of a lookup
table, and Marc Slemko has posted an implementation with a series of
compares, additions, and subtractions.
In fact, it is much worse: The encryption scheme is just XOR with a fixed
byte.
"Encryption" proceeds as follows:
1. Take the ASCII byte and XOR it with 0xA8. (e.g. for 'f'
[0x66] -> [0xCE])
2. Split it into the high and low nibbles. (e.g. [0xCE]
-> [0xC, 0xE])
3. Add 0x40 to produce an uppercase letter or '@' (e.g. [0xC,
0xE] -> "LN")
Repeat for the rest of the characters in the username and password. That's
it.
Tim Hollebeek
Cigital, Inc.
(formerly Reliable Software Technologies)
