Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Mar 2012 16:55:39 -0400
From: Rich Rumble <richrumble@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Research ideas.

On Thu, Mar 22, 2012 at 8:03 PM, RB <aoz.syn@...il.com> wrote:
> On Thu, Mar 22, 2012 at 17:33, Lukas Odzioba <lukas.odzioba@...il.com> wrote:
>> I've asked on the University, they accepted this idea. This summer I
>> would like to focus on performance for existing formats and adding 2-3
>> new formats (suggestions are welcomed).
>
> Blowfish ($2) on a GPU.  It's not terribly common but is agonizingly
> slow compared to pretty much all the rest of the algorithms, saving
> perhaps RAR.  :)  Although my W3565 (soon to change) benches around 2k
> c/s with 4 OMP threads, against a single hash I'm seeing at most 100
> c/s.  This makes even simple dictionary runs a practice in patience.
>
> Beyond that, more container formats are always welcome, it's been nice
> to see JtR adding the various pieces of functionality we used to have
> to go elsewhere for - zip, pdf, etc.  Perhaps Truecrypt or some of the
> password lockers like KeePass or Password Safe.  7-zip as well, I'd
> love to see them all here one day.
I'm sending this as a possible addition to the GSoC Ideas page
(http://openwall.info/wiki/ideas). I've also shared most of this info
with Dhiru Kholia, but I thought it would be better to share with the
list at large. I think JtR could help a lot with Office (be it
Open/Star/Libre Office or MS Office) password recovery, and this may
be another place where GPU coding may be of benefit. MS office
versions 97, 98, 2000, XP, and 2003 defaulted to RC4 40-bit
encryption. The 40-bit encryption offers some resistance to brute
force, but is severely lacking in the possible encryption keys. (2 ^
40 = 1,099,511,627,776) Finding the Encryption key is potentially the
fastest way to recover, even MS thinks so :)
http://blogs.msdn.com/b/david_leblanc/archive/2010/04/16/don-t-use-office-rc4-encryption-really-just-don-t-do-it.aspx
http://blogs.msdn.com/b/david_leblanc/archive/2008/07/03/office-crypto-follies.aspx

It's speculated that all the keys written to disc would occupy around
18Gig's. I'm sure it's entirely possible to optimize that like rainbow
tables do and OphCrack/Decryptum/ElcomSoft/Passware have done so
already.
This may also apply to older PDF versions as all these same
RainbowTable providers purport to have similar tables for older PDF
files. Elcomsoft seems to have both Word and PDF in one "ThunderTable"
http://blog.crackpassword.com/2009/05/thunder-tables/ at around 4Gig's
in size. I believe the affected versions of PDF are quite old however
(up to pdf ver 1.3 or acrobat 2 - 4)

I've found these resources, and have known of the flaws for some time
(like using "VelvetSweatshop" as the password zeros out the encryption
because it is the key in 97-2003)
http://msdn.microsoft.com/en-us/library/cc313071%28v=office.12%29.aspx
(MS-OFFCRYPTO)
http://offcrypto.codeplex.com/releases/view/22783#DownloadId=57606 (C#
ehh what can you do)
http://www.microsoft.com/openspecifications/en/us/programs/osp/ooxml/default.aspx
(Specifications)
http://www.microsoft.com/openspecifications/en/us/programs/osp/office-file-formats/default.aspx
(Specifications)
http://www.lyquidity.com/devblog/?p=35
http://www.lyquidity.com/devblog/?p=85
http://www.password-crackers.com/blog/?p=16
http://www.password-crackers.com/blog/?p=34

I am also placing a tarball of various document's I've made using
various old and new office, and 3rd party office
(OpenOffice/LibreOffice etc) that are password protected. The file
names have the Cipher they were encrypted with and the password that
they were encrypted with. Something to note is that MS Office
truncates the 97-2000 40-bit RC4 encrypted passwords to 15 characters.
See the Readme files about the naming convention used in my tarball.
I've tested each of these files against the various free tools and two
I have paid for and have been able to recover using dictionaries and
or key exhaustion.
MS Office does offer more options of encryption, and I've also made
and tested these files also. These files that don't have "97-2000" in
the name must be brute-forced however, at least that is what everyone
else is doing :)

As far as more modern (default) encryption, 128-Bit AES is used on
Office 2007 and 2010.On a related note I believe the ODF spec uses
Blowfish/PBKDF2
http://docs.oasis-open.org/office/v1.2/cs01/OpenDocument-v1.2-cs01-part3.html#__RefHeading__752815_826425813
http://ringlord.com/dl/Decrypting%20ODF%20Files.pdf
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/bioctl/pbkdf2.c?rev=HEAD&content-type=text%2Fplain
(PBKDF2 in C)

The MS-OFFCRYPTO I linked to above should have all the resources
details about Microsoft office crypto.OpenSSL seems to have RC4
available, I also understand there is a lot of C source code examples
for RC4.
At the very least I hope this is good information, I realize too that
the "encryption key exhaustion" method, in essence could be considered
a rainbow table of the 1 trillion possible keys and is something JtR
has not had or intended to work with previously. JtR typically doesn't
have such an "opportunity" to take such "shortcuts" afaik... However
other crackers seem to claim using GPU and 4 clients can recover the
key in less than a day:
http://www.password-crackers.com/crack/guaexcel.html Perhaps JtR could
give the option of writing the keys to disk as some point in the
future if anyone even want's to look into this method/task at all.

Example Doc's:
http://sc.openoffice.org/testdocs/filetype/ms_excel_xml_encrypted_aes128.xlsx
(Password)
http://xinn.org/test__data/Office_Secrets.tar.gz

I hope that is enough info for someone to do something interesting
with Office products.
-rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.