|
|
| |
| Both CoffeeCup Direct FTP and CoffeeCup Free FTP clients use a proprietary encryption algorithm that is, as usually in these cases, very weak. The file C:\Program Files\CoffeeCup Software\Free FTP\FTPServers.ini has an entry with the all the data of every stored server, including the password information. |
| |
Credit:
The information has been provided by Julio C?sar Hern?ndez of Computer Science Department Carlos III University.
|
| |
The weak encryption algorithm:
The encryption algorithm is simple but interesting. The corresponding decryption algorithm is:
D(c1c2c3c4c5c6c7c8.....c2n-1c2n) = ASCII(0x(c3c4-c1c2)) ASCII(0x(c5c6-c1c2)) .. .ASCII(0xc(2n-1c2n-c1c2))
For example:
D(1444) = D(1E4E) = D(1040) = D(0B3B) = ASCII(0x30) = ASCII(48)=0
So there are 256 different encryption possibilities for every password depending on the starting value (c1c2) selected.
Another example:
D(1182887683858A) = ASCII(0x82-11) ASCII(0x88-11) ASCII(0x76-11) ASCII(0x83-11) ASCII(0x85-11) ASCII(0x8A-11)
=ASCII(0x71) ASCII(0x77) ASCII(0x65) ASCII(0x72) ASCII(0x74) ASCII(0x79)
=qwerty
Conclusion:
We recommend the users of these two programs to avoid storing information of non-anonymous FTP servers because any person reading the file FTPServers.ini will easily recover all its passwords thus compromising their security.
|
|
|
|
|
|
|
|
