Hacker News Clone

DoD Encryption Wizard

by bsilvereagle on 8/24/2016, 12:04 PM with 39 comments

by CiPHPerCoder on 8/24/2016, 4:33 PM

I got curious and opened this project in JD-GUI. The namespace is afrlew, which I presume is some sort of acronym.

EDIT: Of course it is! AFRLEW = Air Force Research Laboratory Encryption Wizard

The lion's share of the crypto appears to be in called Hut8.class, which JD-GUI didn't fully decode successfully.

This looks odd:

    private void incrementSaltIndex(byte[] paramArrayOfByte, int paramInt)
    {
      int tmp5_4 = (paramInt + 3);
      paramArrayOfByte;
      if (0 == (tmp5_1[tmp5_4] = (byte)(tmp5_1[tmp5_4] + 1)))
      {
        int tmp20_19 = (paramInt + 2);
        paramArrayOfByte;
        if (0 == (tmp20_16[tmp20_19] = (byte)(tmp20_16[tmp20_19] + 1)))
        {
          int tmp35_34 = (paramInt + 1);
          paramArrayOfByte;
          if (0 == (tmp35_31[tmp35_34] = (byte)(tmp35_31[tmp35_34] + 1)))
          {
            int tmp50_49 = (paramInt + 0);
            paramArrayOfByte;
            if (0 == (tmp50_46[tmp50_49] = (byte)(tmp50_46[tmp50_49] + 1))) {
              throw new ArithmeticException("Value overflow");
            }
          }
        }
      }
    }

Their PasswordGenerator class is also interesting. Has a loop that runs for an arbitrary 80000 iterations, etc.

Overall, no obvious vulnerabilities, but definitely in the "written by a bored undergrad student in their spare time" realm from what I saw. Obviously, I wouldn't recommend using it.

by hrolf on 8/24/2016, 3:16 PM
>The owner of spi.dod.mil has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
oh, yeah, totally clicking on that.
by niels_olson on 8/24/2016, 6:08 PM
I wouldn't use this if you're not dealing with the DoD. However, if you're in the DoD trying to work with an external collaborator, services like this provide at least some way to show, for example, an IRB, that you're moving PHI with due diligence.
The DoD maintains a PKI system that is essentially independent of the rest of the world's crypto: http://iase.disa.mil/pki-pke/interoperability/Pages/index.as...
by hiram112 on 8/24/2016, 4:48 PM
> EW-Govt is accredited by the Army and Air Force for NIPRNet and SIPRNet. EW is free to users.
Not that it means anything, but NIPRNet is the unclassified network, SIPRNET is secret level.
So this is not accredited to run on Top Secret and above.
by daveloyall on 8/24/2016, 4:51 PM
From the bottom of the page:
Unendorsed polyseme: Encryption Wizard for Oracle [http://www.relationalwizards.com/]
uh... How can I say this... :)
wut?
by dotBen on 8/24/2016, 5:25 PM
I'm wondering if EW-Public has a backdoor/weak encryption that EW-Govt doesn't.
by on 8/24/2016, 3:26 PM
undefined
by gcb0 on 8/24/2016, 4:30 PM
can we stop being lame and complaining about https certs of something you're not downloading binaries or submitting information? just consider it http and move on. sigh.