Title: Strip Password Generator Limited Password-Space Vulnerability
Severity: MODERATE
Description:
Strip is a password generation utility made freely available by Zetetic Enterprises. Strip is a PalmOS based application designed to generate and store important passwords.
A problem with Strip makes it possible for users with access to the password file to easily guess passwords encrypted by Strip.
Typically, a pseudo-random number generator uses a seed to set the state of the generator. This seed should normally be a sequence that is large, unpredictable, and provides a minimum of repetition in sequence over a large set. It is not unusual for a cryptanalyst to attack a cipher by calculating the seed.
The first problem involves Strip using a pseudo-random number generator that can provide small numbers, depending on the time of operation of the Palm device since last reset. SysRandom() depends on a counter for seeding that uses 10ms ticks to track the usage time of the Palm device. For each 10ms period in which the device is on, the value of the ticks is incremented by 1. Also, the randomness of SysRandom() is produced in a linear fashion, which is not recommended for the generation of passwords on modern systems. This leads to the application producing a set of possible passwords much smaller than total number of possible passwords.
The second problem is that the PRNG expects a 32 bit number for seeding. However, the variable used to store TimGetTicks(), the function for getting the total ticks from the device, is a 16 bit integer.
This leaves an end result of a password with a maximum of 2^16 possibilities in sequence.
Affected Products:
- Zetetic Enterprises Strip 0.3.0
- Zetetic Enterprises Strip 0.4.0
- Zetetic Enterprises Strip 0.5.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
