Date: Tue, 8 Apr 2014 13:46:12 -0400 From: Rich Rumble <richrumble@...il.com> To: john-users@...ts.openwall.com Subject: Re: Secure Mode for John On Tue, Apr 8, 2014 at 10:14 AM, Rich Rumble <richrumble@...il.com> wrote: > > On Sun, Mar 2, 2014 at 8:51 PM, Mark Butler <markb@....ibm.com> wrote: > >> > A first try is now committed to bleeding-jumbo. Enable by setting >> > SecureMode=Y in john.conf. >> > I like this mode, however, what could be done about sharing the hashes > when you have to distribute, but you do not want the hashes to work if this > JtR mode isn't enabled? > This would require a bit of effort, and I'm just spit-balling, but could > GPG be used to encrypt the hashes I want to distribute, and be decrypted in > memory (using some --pub-key option) so that they can then be tried in JtR? > My first post wasn't that well thought out, if you have the key and the (encrypted)hashes, it's trivial to decrypt, you'd need a "secret" method of doing the key exchange, something more like the way SSL/TLS do with PFS. I think something like Perfect Forward Secrecy may solve the issue better, but that could be an entire architecture in of itself I guess, some kind of client/server setup.The simplest method I guess would be for *john* to ssh/scp etc to a server and just keep the hashes in memory, and try not to write them to disk, but rather write them to the remote end. This all probably makes more sense as an add-on rather than inside JtR itself. There may be functions, similar to secure-mode or additions to secure-mode, that make more sense. and that the 3rd party script/binary can use with John. It makes more sense as an add-on, instead of john including a full blown FHMQV client/server mechanism or what have you. The end goal is to be able to have collaborators you don't trust to help with the load. Perhaps something like this for the next CMIYC, some kind of wrapper that makes the most of a given resource and can be CnC'd from a central server. Excuse my ramblings :) -rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.