john-users - Re: gpg2john -> false positive -> how to exclude?

Openwall GNU/*/Linux 3.0 - a small security-enhanced Linux distro for servers

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 18 Dec 2012 01:11:53 +0100
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: gpg2john -> false positive -> how to exclude?

On 17 Dec, 2012, at 4:01 , Dhiru Kholia <dhiru.kholia@...il.com> wrote:
> On Monday 17 December 2012 04:39 AM, john@...jenski.de wrote:
>> the converted gpg2john hash is:
>> secring.gpg:$gpg$*17*24*1024*2fd8c6834db06ddfe073fd944b6bd8dbd268163e6374ef6f*3*255*2*3*8*bf07a2f4faafa916*65536*6c7784ea65895667 
>> 
>> the one false positive i got is in clear-text: bortaloo
>> (which is not my phrase | and thus does not work for unlocking)
>> 
>> If you need the real secring.pgp and a ciphertext file, private email would be great :)
> Hi Seb,
> 
> This false positive is unexpected. Please send the real secring.pgp file (private email is fine).
> 
> I can check if other softwares give "bortaloo" as the password too.

I tried adding FMT_NOT_EXACT and ran it for a couple hours with a toy GPU. It found 10 "valid" guesses in 2h, 18 minutes (roughly 200 million candidates tried):

bortaloo
dyss
ksm38b
mrh1644
bh994co
g5xck
24279720
w0wory
lt5ntyb
25318696

This "hash" type use the simplest checksumming that will give one false positive out of 64K tries. I notice the 'datalen' is short compared to the test vectors - apparently short enough to emit a false positive from the BN_bin2bn() function once out of about 300 tries. When both these false positives occur for one same candidate, it will result in a false guess (about once in 20 million tries).

magnum