Algorithm does not work with truly random binary keys

Question

Algorithm does not work with truly random binary keys

Opened this issue 5 years ago · 0 comments

Currently, the default alphabet is eariotnslcudpmhgbfywkvxzjqEARIOTNSLCUDPMHGBFYWKVXZJQ0123456789.

If the key is a truly random byte array (as it should be if the JWT signing implementation is secure...), the bruteforce algorithm does not work, as it only checks for bytes matching the code point of the character in the alphabet, in the locale's encoding (so for the default alphabet, possible byte value ranges are 0x30-0x39, 0x41-0x5A and 0x61-0x7A). Thus, even the simple 1-byte 0x00 key is not detected by the algorithm.

You can specify a custom alphabet as an optional parameter of the program, but the parameter being itself a string in the machine's current locale, you can't bruteforce keys which use bytes translating to non-printable characters.