Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 4 Sep 2021 17:19:52 +0200
From: magnum <>
Subject: Re: brute forcing AES key

On 2021-09-03 17:41, wrote:
> I have a string, result of encryption by an App.
> The code for encryption of this App is visible here: <>
> It looks to me that the dev of this App is missing something important: he did not use a derivation fonction to create a secret key, he uses the user provided password directly as an encryption key.
> So I guess it would be feasible to use a password cracker software like JtR to brute force the password / key and decrypt the string I have.
> Is that possible with JtR, if at all?

A format for attacking this should be, potentially, very fast.  I didn't 
look a lot into that link you gave but the tricky bit is likely to know 
when we made a correct guess.  It goes like this: Try a candidate, 
decrypt some ciphertext, verify against some known plaintext (or 
plaintext-ish).  If it's correct, we guessed the correct password.

So, if we can identify some plaintext (such as a file magic) or 
plaintext-ish (such as json or xml and/or 100% UTF-8 or ASCII) we can 
hopefully write a format for this.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.