Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So is this a case of 16-bit keys being easy to bruteforce and even easier to use a symbolic solver on, or is there something more subtle going on?


This is not bruteforce. The flaw is the attackers used the same crypto algorithm but with smaller width variables. This rendered some of the crypto useless. Half of the total bytes in the keystream are always null and correspondingly half of total bytes in the ciphertext retain their original value. always Even with 16-bit variables proper implementation would have made this a lot tougher.

As they say, Don't' roll your own crypto.


As they say, Don't' roll your own crypto.

I have a feeling the malware author, working in 16-bit realmode, forgot that ints are usually 16 bits wide in that environment. A "typedef unsigned int uint32_t" behaves as expected in the usual 32/64-bit environment, but not in 16-bit. It's unlikely the author invented the 16-bit Salsa20 variant, but rather copied existing code and just compiled it wrongly.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: