Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 Jan 2013 08:28:12 +0200
From: Milen Rangelov <gat3way@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: DMG (was: dmg2john)

Hello,

Ah, thanks. How did you ever get the idea to hardcode that!?
>
>
At that time, all of the dmg files I tried had 1000 iterations. Since I
used vilefault as a starting point, I noticed it is a hardcoded constant
there. Not very wise I admit. BTW what version of OSX are you using to
generate the dmgs?


> Bad news: The iterations count in my test files varies a little and it's
> not even numbers, but it's over 200,000 (how many SHA-1's is that per
> candidate, for a key length of 32? About 800,000 I think?). That's a good
> bump from 1000. At first this did not seem correct (still did not crack)
> but when I dumped the resulting plaintext I could see lots of consecutive
> zeros when the right key is used, so this is actually right. Over 200 times
> slower than older versions.
>
>
This doesn't sound good. That many iterations don't render even GPU attacks
very practical :( The good news is that consecutive zeros. In that case
though checks would be done for data in the last two sectors. Could you
post the decrypted final 3-4 blocks of the dmg file?


> So I added a known-plain test of "8 consecutive nulls" and voila, my test
> files can be cracked. But you will need a lot of luck to crack any file
> with this speed (CPU format can do about 9 c/s per core, OpenCL format just
> hits hits the watchdog timer on my laptop - we have to use a split kernel
> here).
>
> When I incorporated the same to the OpenCL format I noticed that it did
> not support v1 hashes at all although its valid() did not reject them. I
> really hope we don't have more such bad things in unstable. I made it up to
> par with CPU code.
>
>
Isn't the v1/v2 check performed on host? The GPU part should be the same
for both. Unless of course you do the key unwrap on the GPU.


> Anyway, please test. Try old files, new files, different kinds of formats,
> encryption types, partition tables and so on. I bet we need even more known
> plains to test for in order to get every kind of them. This format needs
> its own README stating its limitations.
>
>
My problem with dmg is that I don't have access to Apple machines so all
the inputs I have are several sample files (from vilefault project, from
JtR, from CMIYK contest and several others people sent to me in the past).
All of them had the same well known structure (and the 1000 iterations). So
I guess the iterations thing changed in some recent OSX version. Hopefully,
the layout of the image did not change though as it would require a lot of
additional work.

Regards,
Milen

Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ