On Sun, 13 Apr 2008 01:39:44 -0400, Bill Cole dovecot-20061108@billmail.scconsult.com wrote:
At 9:32 PM +0100 4/12/08, Douglas Willcocks imposed structure on a stream of electrons, yielding: [...]
I've read through the document, and I now understand where exactly the precomputed context sits in the whole picture, but I'm still unsure how to reproduce it without dovecotpw.
In looking a little closer at RFC1321 that defines MD5, I think I see the trick. The stored contexts are not full MD5's of Ki and Ko, they are just the 16 bytes of state after hashing those single key blocks. A full MD5 hash gets finalized by padding out the data with nulls and a 64-bit count of the hashed data. If you were to do a normal MD5 of Ki and Ko, the result would include the result of the finalization step.
You can see this in the hmac_md5_get_cram_context and hmac_md5_set_cram_context functions in the Dovecot code. The former extracts just the 4 32-bit state values, and the latter sets them and sets the bit count in the context structure to 512 (i.e. 64 bytes)
Maybe that provides a helpful clue...
Thank you very much for the time you spent looking into this.
There are still some wholes in the algorithm, but so far:
Do the first part of HMAC as normal up to XOR'ing with 0x5c, including strangely enough what looks like a full (i.e. including nulling and padding) md5 hash if the passphrase is longer than 64 (this step should be feasible to replicate)
Do the first step of md5 hashing (again, using the Perl library you suggested, it should be feasible to replicate the required functionality)
-- From now on, it gets a bit sketchy
Using the intermediate states of Ko and Ki, extract the various segments into a char[] so you end up with an array of 32 8bit segments. I'm unsure exactly what the bitwise AND operator is used for, I thought that a bitwise AND with 0xFF would leave everything the same?
Display a hex representation of the array contents.
I'll have a go later today and report back any findings. Of course, I could have completely misunderstood one of the steps, and that'll screw up the others, but still.
-- Bill Cole bill@scconsult.com
-- Douglas Willcocks