Date: Fri, 11 Jan 2013 00:06:39 +0200 From: Milen Rangelov <gat3way@...il.com> To: john-dev@...ts.openwall.com Subject: Re: npdf2john Hello, I was contacted by LastPass regarding that offline attack. To cut the long story short, they were open and friendly and offered me to help with the cryptography questions I had. They did not believe we do an offline attack initially (they thought it was captured network traffic) so I explained what we did. They also told me what is being employed in Windows (the mysterious encrypted IE and Firefox stuff). So bad news, we're up to something evil - DPAPI. What really struck me as odd is that the encrypted xml on Android looks very much like the sxml from Windows and I doubt that there is DPAPI implementation for Java on Android. But then I am a noob in the Android world, so who knows :) So basically we have a real problem with that. DPAPI was reverse-engineered and I need to read the paper, but from what I remember it is tied to the local account's password in a way (a SHA1 hash of the password is applied somehow from what I remember). So in the windows case, we would need the local account password which makes it really hard to crack :( If anyone is acquainted with how DPAPI works, details would be much appreciated :) On Thu, Jan 10, 2013 at 6:09 PM, shane Shane <shane@...twareontheside.info>wrote: > > Well unfortunately the mail address takes part into the key derivation > process > > By default the last pass app remembers the email address so for most > offline attacks this shouldn't be an issue. Also chances are the > individuals phone has an email address or two on it that is most likely the > email address used for their last pass account so even if the user has > unchecked remember my email in the app you'd still have a good guess at the > person's last pass email. > > Regards, > Shane > > Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.