The Chronicles of Spellborn

An agent of Shroud gave me an encrypted message they found on an messenger of the outcasts who tried to get into Hawksmouth. They believe its content to be connected to a planned sabotage from within the walls of the city. Other sources indicate preparations being made for a frontal attack on the main gate by a nearby outcasts militia. This reinforces our assumptions about a possible thread from within, since a direct attack on our city-walls would end up being a suicide mission. Note that local security has not yet been alerted since we try to avoid outbreaks of panic which could lead to military and civilian casualties.


The decryption of this message is crucial to the cause of identifying and eliminating double agents BEFORE the attack since it is our only source of information available. The messenger took his life before he could be brought into custody for further questioning,. However a raid on his hideout by Maul's special forces brought the machine used for the en- and decryption of the message to light.


Rune's scientists were able to extract the algorithm for this task but weren't capable to revert the encryption since it needs a password that only two persons seem to know (our dead messenger and the saboteur).


In short here are our mission objectives:

1.     Decrypt the message*
   
2.     Find the password used for en- and decryption of the message
   
3.     Write a program that is able to decrypt all messages made by such device without the password
   

*top priority

encrypted-message.txt
encryption.txt

I admit i was bored...

I'll just ignore this (I've tried )

 

How have you been flythth? ^^

Forum feels a lot faster lately, don't you think?

Hey Vampire Trix!

 

Passed my exams, semester is starting on Monday... the usual ;-)

 

Yeh forum got a lot smoother and you changed the portal (again) ^^. It's always nice to see how you experiment a little with web-design and keep a beacon of hope for the best mmo at the same time ^^

Keep it up!

 

Hopefully someone manages to crack the "super encrypted" message hehe...

That server move did pay off

Server has been running smoothly for a few months now. Really pleased with it

This time the look is a design from another designer, but I'm working on a new one.

I'm trying to create a pinboard layout with a metro dash, but you'll see when it's ready

Mhmm, I'd rather puzzle on the Spellborn animation packages, at least that brings me something in the right direction.

 

Greetings Jan-Willem.

I'm happy for you two. At least you have some real goals ^^. My primary goal was to kill time and learn a little C, mission accomplished I guess...

 

I managed to decrypt the message using brute force but I still have to manually look on the output and find the version makes the most sense (which can be huge depending on how good you guess....). I could however implement a function that checks which of the outputs has the most common ASCII characters in it (from lets say 32 to 126?) and only shows those. But I'm too lazy right now. Haven't been able to extract my own password either.

 

Dammit past Flythth... y you make stuff u don't will understand?

You should see the login script for the Asuracake (yes, still working on that... just a lot less time with my fulltime job than expected).

 

I'm trying to make that as secure as possible: on any site your password should be encrypted, but I'm taking this to another level: your password will get SHA1 encrypted, but that on it's own is not quite secure. You've got rainbow tables with all possible password values, a dictionairy if it were with hashed passwords. If we have 500 users, they'd simply look at which hashes match and which don't. They will have the password easily.

 

So, we add a new value to it that is fixed to make these rainbow tables unusable with a value that is the same for every user. But then again, they can simply make a rainbow table with your fixed hash. This means that, if they have your secret value, they can still make a rainbow table, but only useable on your site... which is a lot of extra work. But simple enough: they just make a new rainbow table with the random value, which is almost as easy as the method above, but still a lot more secure.

 

But I didn't stop there... I'm also adding a random value that will get added as well that is unique for every user. This is the dealbreaker: with those 500 users, in order to hack them, they would need to generate a rainbow table for EVERY user. So not 1 rainbow table like with the other methods, but 500 times... which is a TON of work. And it will also take a lot of processing power on your PC and a metric ton of time.

 

So, the Asuracake will be quite secure in that way.

 

You can test easily if a site is secure or if your password will be retrieved easily when they are hacked by requesting your password: if the site sends you your password by mail, it's highly insecure and they store your password in plain text! If you get a resetlink, you are safe.

 

The actual register code for the asuracake is like this:

<pre class="_prettyXprint">


// Let's set up an array with all the required data we will need to post to the database
$data = array('firstname' => $this->input->post('firstname'),
'lastname' => $this->input->post('lastname'),
'email' => $this->input->post('email'),
'server' => $this->input->post('server'),
'race' => $this->input->post('race'),
'profession' => $this->input->post('profession'),
'activated' => 1,
'hash' => str_shuffle(md5(microtime())),
'password' => sha1(str_shuffle(md5(microtime())) . $this->input->post('password') . 'SUPERSECRETFIXEDVALUE'));

$query = $this->db->insert('customers', $data);
if ($query)
{
return true;
} else
{
return false;
}</pre>
 

Just want to share some information about how our sites are being made

So, if you have any questions, just shoot!

Why don't you just add one value per user? No need to make one for all users plus one for each of them... I'm not sure how much this "double encryption" affects performance V.S. trouble for possible hackers though.

How do you want to avoid one user being targeted? Lets say the hacker targets a root or administrator account, makes two of those tables, cracks the password, changes the SUPERSECRETFIXEDVALUE ^^ and swipes all log files.

Then again is our profile encrypted too (like the e-mail or address)?

 

Oh and is it a good idea to discuss security relevant stuff on a public forum? Or are these informationa every decent hacker would find out by her/himself?

 

I really love this kind of discussions ^^

Well, this kind of stuff isn't very secret and I don't believe in security by obfuscation. And by doing this, you just make it that way that hackers would need a ton of time to hack every user so it simply isn't profitable to them to try to.

Also, this really doesn't use much resources at all: you create a random value once for every user and use a fixed value for 1 user.

So basicly you just get 1 value from the database, encrypt the password with it and the fixed value and compare it to what we have in the database. 2 query's ain't that bad.

You can never achieve 100% security though and if one wants to hack a user, they will. Social engineering for example: at my work I can see the passwords of our customers their internet subscription control panel.

Mostly it's the name of their kids...

 

I do not encrypt any value except for your password (and possibly your secret answer, not sure yet) because it doesn't make any sense at all to do so: you need those values. The point of encryption is to make it impossible to retrieve those values. So if we would store your email encrypted, we wouldn't be able to mail you because your mail can't get decrypted. Encryption is one-way most of the times.

If you would use two-way encryption (so be able to decrypt it) you would waste a ton of resources on that.

The password value gets encrypted when you register together with your personal secret value and the fixed secret value. Since SHA1 always returns the same value for a hash, you know what the value is that you should get. So, when you try to login we encrypt your inserted password together with the 2 secret values (salts). If it matches up, you have entered the right password, if not, you entered it wrong.

Even I can't see your password...