Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 23 Dec 2017 09:09:16 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Recommendations GnuPG-2 replacement

On Fri, Dec 22, 2017 at 08:52:52PM +0100, Solar Designer wrote:
> On Sun, Dec 17, 2017 at 09:06:08AM +0000, halfdog wrote:
>
> > > You may process the private key file with gpg2john, then try to crack it
> > > with john.  This will output the actual value, as well as show you the
> > > speed at which passphrases can be tested against that key on your system
> > > and with that version of JtR.  To use a GPU, add "--format=gpg-opencl".
> > > Please use latest bleeding-jumbo off GitHub for all of this.
> >
> > Done that, but still fighting how to use "gpg2john" with the new
> > gpgv2 "private-keys-v1.d" key format. Exporting the private keys
> > using gpgv2 does not help as that requires the passphrase already,
> > thus removing the gpgv2-encryption, we want to test.
>
> I tried asking a JtR jumbo contributor to look into this, but
> unfortunately I got no response yet, and I had no time to look into it
> myself.  This is something we ought to have an answer to, but I
> currently don't.

Please see https://github.com/magnumripper/JohnTheRipper/issues/847 (Add
support for the new GPG 2.1 "format") regarding this topic.

To summarize,

* Currently, gpg2john does not understand the "private-keys-v1.d" key
  format.

* We have a very rough cracking implementation for "private-keys-v1.d"
  key format at the moment. See "filter.c" on that GitHub issue.

I can start working on a proper native cracking implementation (with GPU
support likely), if there is interest in this stuff.

--
Dhiru

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ