Google
  Web www.spinics.net

Re: Huge Problem with cryptoloop and AES: Lost Password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Lars Reimann wrote:
> I stored my 20 character passwords on my palm device only (i know by now
> that this was stupid!). However, that one chrashed and apparently all data
> was lost, including passwords. However, i may remember certain details of
> the password, for example which characters I used not, and how the
> password ends.

This won't help you now, but one way to handle lost/forgotten passphrases is
to use gpg encrypted key files where all key files are encrypted using both
employer's "recovery" public key and user's public key. Employer's
"recovery" public key can be distributed to everyone, and copies of private
keys physically locked in a safe. That way employer can recover user's data
even if user drops dead.

> Also, i would like to automate to try different passwords. Is there a
> program available which does such (brute force) things with the
> cryptoloop? however I may have to write it on my own if nothing is
> available. I heard it may be possible to extract some sectors of ext2/3
> partitions which are always "zero". Then the decryption can be verified by
> using such sectors. Has anyone an idea which SECTORS this are on ext2/3
> partitions and how to extract them?

First 16 bytes of fourth 512 byte sector are always zero on unencrypted ext2
and ext3 file systems.

This command shows you your ciphertext (in hex):

    dd if=/dev/md2 bs=16 skip=96 count=1 2>/dev/null | od -An -tx1 -

And when you find a key that decrypts to (in hex):

    03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Then you have found your key. That 03 number is the XOR of zero file system
data and sector number IV of fourth 512 byte sector.

If you used loop-AES version of losetup, as your losetup syntax seems to
imply, then you need to:

1) Compute hash #1 of your passphrase using SHA512, store first 256 bits as
   'bulk_key'. Zero/CR/LF byte at the end of string NOT included in hash.

2) Compute hash #2 of your passphrase using SHA512, but bit 0 of first
   passphrase byte inverted.

3) Encrypt first 128 bits of bulk_key, using first 256 bits of hash #2 as
   AES256 key.

4) Encrypt second 128 bits of bulk_key, using first 256 bits of hash #2 as
   AES256 key.

5) Exchange bytes bulk_key[8...15] with bulk_key[16...23]

6) Repeat steps 3...5 for total of 500000 times.

7) Decrypt your file system ciphertext using AES256 and bulk_key

8) Compare to known plaintext (03 00 .... 00 00). If it matches, then you
   found your passphrase.

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/


[Home]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]     [Network Security Reading]

Add to Google