Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Apr 2014 13:46:12 -0400
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Secure Mode for John

On Tue, Apr 8, 2014 at 10:14 AM, Rich Rumble <richrumble@...il.com> wrote:

>
> On Sun, Mar 2, 2014 at 8:51 PM, Mark Butler <markb@....ibm.com> wrote:
>
>> > A first try is now committed to bleeding-jumbo. Enable by setting
>> > SecureMode=Y in john.conf.
>>
> I like this mode, however, what could be done about sharing the hashes
> when you have to distribute, but you do not want the hashes to work if this
> JtR mode isn't enabled?
> This would require a bit of effort, and I'm just spit-balling, but could
> GPG be used to encrypt the hashes I want to distribute, and be decrypted in
> memory (using some --pub-key option) so that they can then be tried in JtR?
>

My first post wasn't that well thought out, if you have the key and the
(encrypted)hashes, it's trivial to decrypt, you'd need a "secret" method of
doing the key exchange, something more like the way SSL/TLS do with PFS.

I think something like Perfect Forward Secrecy may solve the issue better,
but that could be an entire architecture in of itself I guess, some kind of
client/server setup.The simplest method I guess would be for *john* to
ssh/scp etc to a server and just keep the hashes in memory, and try not to
write them to disk, but rather write them to the remote end. This all
probably makes more sense as an add-on rather than inside JtR itself. There
may be functions, similar to secure-mode or additions to secure-mode, that
make more sense. and that the 3rd party script/binary can use with John. It
makes more sense as an add-on, instead of john including a full blown FHMQV
client/server mechanism or what have you.

The end goal is to be able to have collaborators you don't trust to help
with the load. Perhaps something like this for the next CMIYC, some kind of
wrapper that makes the most of a given resource and can be CnC'd from a
central server. Excuse my ramblings :)
-rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.