0

I have been tasked with moving an authentication service from our provider to somewhere else. The code base for the current service is not available to me, but I know these things:

  • I have a 65 character plaintext key
  • Something labeled a "nonce" with 3 characters and in plain text
  • An encrypted string which (possibly coincidentally) begins with the nonce and is 35 characters long.

I have tried many of the googled suggestions without luck. Mostly nobody even mentions using a nonce.

Can anyone give me some idea of what I might want to do to decrypt the string? Nodejs or python would be my tools of choice?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
Col Wilson
  • 101
  • 1
  • This question cannot be answered fully without knowledge about the strings. Please post test vectors, and a test key. If you don't have a test key yet, then something is seriously wrong as you 1. should test and 2. should not test with "live" keys. If there is no protocol description then I guess we've already established that things are seriously wrong, by the way. 3DES. Stringified input / output. Oh, boy. – Maarten Bodewes Dec 18 '18 at 09:48
  • Yep it is not a situation I chose. – Col Wilson Dec 19 '18 at 14:42
  • Unfortunately we can only give generic answers like the one given by DannyNiu, therefore I closed the question. Good luck anyway finding the proprietary scheme used. – Maarten Bodewes Dec 20 '18 at 00:26

1 Answers1

3

Challenge-based symmetric-key authentication works a bit like this:

  1. Server picks a randomly chosen challenge and sends it to the client.

  2. Client "transforms" the challange with his key and send the result back to the server.

  3. Server does the same transformation with the same key, and verify if the two matches.

The transformation can be an encryption algorithm, but usually well-designed system would use a MAC (message authentication code) such as HMAC.

In your case, the nonce is most likely a challenge, although 3 character only provides 24-bit (<21 bits if ASCII-only) insecurity.

DannyNiu
  • 9,207
  • 2
  • 24
  • 57
  • I think the implications of what you say is that 1. the nonce is probably not directly related to decrypting the string but is used in the exchange mechanism to get that string and 2. I'll just have to keep fiddling with my code until I get a result which looks like it means something. Thanks. – Col Wilson Dec 17 '18 at 12:02