Encryption Scheme?

chads2k2

Hey check this out.

My friends and I are having a game right now with my software engineering class and we need some help! The professor designed this game and it's turning out to be a really challenging game. Our game is that a group designs a system done in any web language and then we get access to their database contents (raw data) and get access to their website. The game is to layout their entire code structure (not re-program just tell how they could have done it) about how they did things. Well, we got most of it but we are stuck on their encryption scheme they used for their passwords. We have looked in their database and know the password is what is encrypted. When we login it doesn't change so that is important to know. So the password must be able to be decrypted. I will give you some examples we have from them. Ok so here are some examples to work with and see if you guys can come up with the scheme. We tried to give you guys enough examples that are close but not the same. We are going to keep thinking about how they did this.

Thank you so much!

Chad

Username || Password || Encrypted
CS6492 || 64926492 || BIUBR3G4N4W77
bb6829 || 68296829 || ZEQ7ZUTNWIP
KL1029 || 10291029 || DPCCCPUTDWZUM
GM6785 || 67856785 || HOB3CWYXIMJQQ
DC6776 || 67766776 || HOB2HQYXINIQQ
DP5981 || 59815981 || 4FDGM47B7EL3W
BB5040 || 50405040 || 4ZRMY74AMQEO5

drawmack

First of all it can be a one way hash, as they could have your password trasmitted in plain text, then hash it and compare the hashed result with what they stored in their database. My guess is that they either used mysql's password type on the field or they took the md5 of the password.

trex005

can you give us an example of the plaintext password and that SAME password encrypted?

chads2k2

Drawmack yeah good point there. They used MSSQL to do their backend.

Trex -- Did you read my post? I posted plain text passwords and what it was after encryption. Also the username.

Thanks guys!

Chad

trex005

you are correct Chad, I did not read carefully enough.

using the last example

password | md5 | Mysql
50405040 | eee34ff674cdf1d1bf87f62a75b38197 | 0f7a507843766a05

doesn't look like any of those.... unfortunatly, there are infinate more ways they could encrypt it... and I'm not in the mood to try to crack tonight!! 🙂

spent too much time doing that the other nigh! 🙂

http://www.phpbuilder.com/board/showthread.php?threadid=10285206

chads2k2

LOL. No prob Trex. Yeah there are infinite ways to do this. We just might not be able to get the last part on this one. 🙁 All well though, thanks everyone!

Chad

drawmack

Try using social engineering. Without directly asking see if you can get someone on the team talking about how they encrypted the passwords.

chads2k2

Haha yeah that's what we started to do today. I think they are onto it though. It's a rather small class. 🙁

Chad

Weedpacket

If you can't determine the encryption scheme, it would be nice if it turns out to be reversable - if you suggest that it could have been a one-way hash of some sort. Because of the extra protection this gives users even in the event of a security breach at the server. Think about it 😃