Tripcode

From Wikipedia, the free encyclopedia

Jump to: navigation, search
A post on a swedish imageboard with a tripcode (colored red), here identical to the posters name

Tripcodes are a method of telecommunication authentication that does not require registration. They are most often used in 2channel-style message boards or Futaba Channel-style imageboards. A tripcode is a hashed password by which a person can be identified by others.

A tripcode is the result of input to a cryptographic hash function on the message board server, usually entered in the same field as the name. Using the common 2channel format, name#tripcode when entered as a username becomes name!3GqYIJ3Obs when displayed in the post. The ! is the separator between name and tripcode; on some boards it is replaced with . [1]

Readers of the board can identify postings made by the same user by comparing tripcodes. If two people use the same user name, they can be told apart because they, presumably, don't know each other's passwords that generate the different tripcodes. This way, the names and passwords don't have to be stored in a database. As many boards use the same algorithm, tripcodes are usually consistent.

Contents

[edit] Description of the algorithm

The tripcode function works as follows:

  1. Convert the input to Shift JIS.
  2. Generate the salt as follows:
    1. Take the second and third characters of the string obtained by appending H.. to the end of the input.
    2. Replace any characters not between . and z with ..
    3. Replace any of the characters in :;<=>?@[\]^_` with the corresponding character from ABCDEFGabcdef.
  3. Call the crypt() function with the input and salt.
  4. Return the last 10 characters. (compressional data harvest)

Since this is merely a de facto standard, actual implementations vary widely. Most noticeably, many implementations substitute various characters with their HTML entities. For example, 2channel translates <, >, and " to &lt;, &gt;, and &quot;.[2] Other implementations also replace other characters, e.g. &amp; and '. However, this behavior was likely due to a bug in the original implementation, and since each board has different behavior it should not be considered part of the algorithm. Further, some boards don't perform the Shift JIS conversion. Lastly, as a historical note, the original implementation only used the last 8 characters, but this has been fully replaced by 10-character tripcodes.

[edit] Secure tripcodes

Tripcodes are not a very secure authentication method. Since the keyspace of 2channel-style tripcodes is not very large (slightly larger than 256) some boards implement a secure tripcode along with normal tripcodes. In their case another hash is used that takes a second input (typically in the form of name##securetripcode or name#tripcode#securetripcode) and uses a secret salt stored on the server. As this salt is secret and site specific one cannot use a pre-computed preimage attack such as rainbow tables.

One of the drawbacks of secure tripcodes is that they are specific to a single imageboard or discussion board. Because of this, a user cannot verify his or her identity across multiple boards or websites unless each board happens to use the same secret salt as well as the same method of generating and displaying secure tripcodes. Coupled with the fact that it is fairly rare that a user goes through the trouble of discovering another user's tripcode string, many users opt to use normal tripcodes.

[edit] External links

[edit] References

Personal tools