Subj : Implementing MPWD
To   : Ozz Nixon
From : mark lewis
Date : Fri Jun 22 2018 03:07:20

 On 2018 Jun 21 13:10:52, you wrote to me:

 ml>> there was something interesting discovered several months ago,
 ml>> though... in the CRAM-MD5 implementations, apparently only 32byte
 ml>> checksum strings are allowed (or used?) even though the spec allows
 ml>> for up to 64bytes (IIRC)... i scanned three years of binkd logs and
 ml>> all CRAM-MD5-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx strings are of the same

 ON> Not one to argue with a European on the hash algorithms, but, I just
 ON> implemented CRAM-MD5 and CRAM-SHA1. Understanding what I coded, the
 ON> only flaw I saw was when the "secret" is > 64 characters, then it
 ON> switches to a 16bit algorithm, and with CRAM you double process the
 ON> "secret", so I guess they mean if someone uses a 65 character or
 ON> longer password for handshaking using BinkP they have reduced the
 ON> accuracy down to 32bit - but, I do not know of any sysop who is
 ON> willing to type in a 65+ character handshake.

talk with rob swindell (aka digital man)... he found it, IIRC... it wasn't the 
length of the password, AFAIK... it was that string of x's i have up there... 
whatever that part is called :shrug:

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it 
wrong...
.... Out of my mind. Back in five minutes.
---
 * Origin:  (1:3634/12.73)

.