Brute force VNC crack

Jonathan Morton chromi "at" cyberspace.org
Fri, 18 Aug 2000 15:26:56 +0000


>I'm not sure changing the encryption key would prevent brute-force attempts.
>Think of it this way:
>
>Using the "modified" version of VNC I tell VNC that my password is 'george'
>and this gets encrypted to 'gracie' (I know it would be a mess of hex, but
>this is easier) Your argument says that when I attempt to encrypt 'george'
>on the standard VNC viewer I won't get 'gracie' and as such I won't be able
>to issue the correct response to the challenge, and you are correct.
>However, this is a brute force attempt and at some point I am going to
>encrypt 'oldtimer' and that will be encrypted to 'gracie' and then I will be
>able to answer the server's challenge.
>
>Now I think your password is 'oldtimer' and your password is 'george' but it
>doesn't really matter because I have access to your machine anyway.

I don't know the mathematical intricacies of the encryption used for the
challenge/response.  But I do know that the 8-byte password is used as a
key to encrypt a 16-byte random challenge, with the "encryption key" used
as an extra seed.  Changing the seed would produce a different combination
out of (8*16 =) 128 bits of challenge, which you then have to rely on a
'chance' match in one of the combinations available in (8*8 =) 64 bits of
password.  Only in extremely rare circumstances will this match be
available, and it could be fixed easily by changing the key again.

An obvious side-effect of changing the key, is that it has to be changed on
both ends of the connection.  If this key is kept secret, it would have to
be brute-forced at the same time as the password, giving noticeably better
security.  Perhaps it would be a good idea to allow configuration of the
DES key, as an "advanced" option in viewers and servers?  This would be a
good way of increasing security without breaking the protocol.

--------------------------------------------------------------
from:     Jonathan "Chromatix" Morton
mail:     chromi "at" cyberspace.org  (not for attachments)
uni-mail: j.d.morton "at" lancaster.ac.uk

The key to knowledge is not to rely on people to teach you it.

Get VNC Server for Macintosh from http://chromatix.autistics.org/vnc/

-----BEGIN GEEK CODE BLOCK-----
Version 3.12
GCS$/E/S dpu(!) s:- a19 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$ V? PS
PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r- y+
-----END GEEK CODE BLOCK-----
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------