Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Algorithm does not work with truly random binary keys #10

Open
madmox opened this issue Jul 29, 2019 · 0 comments
Open

Algorithm does not work with truly random binary keys #10

madmox opened this issue Jul 29, 2019 · 0 comments

Comments

@madmox
Copy link

madmox commented Jul 29, 2019
edited

Currently, the default alphabet is eariotnslcudpmhgbfywkvxzjqEARIOTNSLCUDPMHGBFYWKVXZJQ0123456789.

If the key is a truly random byte array (as it should be if the JWT signing implementation is secure...), the bruteforce algorithm does not work, as it only checks for bytes matching the code point of the character in the alphabet, in the locale's encoding (so for the default alphabet, possible byte value ranges are 0x30-0x39, 0x41-0x5A and 0x61-0x7A). Thus, even the simple 1-byte 0x00 key is not detected by the algorithm.

You can specify a custom alphabet as an optional parameter of the program, but the parameter being itself a string in the machine's current locale, you can't bruteforce keys which use bytes translating to non-printable characters.
@madmox madmox changed the title Only works if the key is derived from alphanumeric secret using each character's ASCII code. Algorithm does not work with truly random binary keys Jul 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@madmox