This tool that I created a few years ago might also be helpful. It
implements several randomness tests defined by NIST (in particular tests
that behave well with small random strings).

http://sourceforge.net/projects/ciat/

As you mention, if the bit stream to analyze is B64 encoded, it must be
decoded first.

Regards,

Omar

El 02/10/2011 11:19 p.m., Sergey Soldatov escribió:
> Hello, Karen.
>
> If something is encrypted, cypher text is pseudorandom. This is also
> true for hash function (aka message digest like MD4, MD5, SHA, etc)
> output. Pseudo random sequences are not compressed by archives. So,
> you can check that stored encrypted passwords are random: take a
> number of them and from text that then try to archive (let it be ZIP,
> for example). If they compressed well, they are not output from good
> encryption algorithm or hash function. It they BASE64-encoded its
> better to decode them before this experiment, you should take clean
> encryption/hash algorithm output.
>
> On Sat, Sep 17, 2011 at 9:05 PM, Abe <abek1 (at) comcast (dot) net [email concealed]> wrote:
>> Most APIs will give you a byte array after Base64 decoding. Once you have
>> the byte array you will need to pass that to the string constructor and
>> specify the character set used on the system where the passwords were
>> stored.
>>
>> Usually the passwords will be base64 encoded before being stored in the db
>> so when you convert the base64 decoded bytes into a string you either want
>> to do this on the same system that base64 encoded the data using the default
>> character set or on your system and ensure that the character set on your
>> system matches that on the system which does the base64 encoding or if they
>> don't match you will need to specify the character set used to create the
>> string object from bytes.
>>
>> Then you can reliable look at the string data to see if it resembles viable
>> passwords or encrypted characters.
>>
>> By the way, if you are doing this on live systems then it could be exposing
>> actual user passwords.
>>
>> Regards,
>> Abe
>>
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
>> Behalf Of Maksim.Filenko (at) fuib (dot) com [email concealed]
>> Sent: Monday, September 12, 2011 7:37 AM
>> To: Karen Sy
>> Cc: listbounce (at) securityfocus (dot) com [email concealed]; pen-test (at) securityfocus (dot) com [email concealed]
>> Subject: RE: Validating if password is encoded or encrypted
>>
>> Hey Karen,
>>
>> It is possible for passwords to be encrypted (i.e. with AES) and then
>> encoded with Base64 before storing it in DB.
>>
>> What do you get after decoding those Base64 strings? Binary data?
>>
>> wbr,
>> - Max
>>
>>> Hi Everyone, I'm currently reviewing an app prior to launching to our
>>> prod. One of our security requirements is for the password to be
>>> encrypted.
>>> When i checked the password field in db, i noticed that all passwords
>>> are ending with a double equal sign e.g "==".
>>> I am under the impression that they are just base64 encoded rather
>>> than encrypted. However, i tried decoding it using base64 but i'm not
>>> getting a valid data.
>>>
>>> Am i right in saying that the password is encoded? If yes with what
>>> e.g. base64?
>>> How can i prove or show them that this the password is just encoded
>>> rather than encrypted?
>>> Or is it encrypted?
>> ------------------------------------------------------------------------

>> This list is sponsored by: Information Assurance Certification Review Board
>>
>> Prove to peers and potential employers without a doubt that you can actually
>> do a proper penetration test. IACRB CPT and CEPT certs require a full
>> practical examination in order to become certified.
>>
>> http://www.iacertification.org
>> ------------------------------------------------------------------------

>>
>>
>> ------------------------------------------------------------------------

>> This list is sponsored by: Information Assurance Certification Review Board
>>
>> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>>
>> http://www.iacertification.org
>> ------------------------------------------------------------------------

>>
>>
>
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]