Date: Sat, 4 Sep 2021 17:19:52 +0200 From: magnum <john.magnum@...hmail.com> To: john-users@...ts.openwall.com Subject: Re: brute forcing AES key On 2021-09-03 17:41, p+password@...atpro.net wrote: > I have a string, result of encryption by an App. > The code for encryption of this App is visible here: <https://github.com/Anubis901/SafeCrypto/blob/main/lib/encryption.dart> > It looks to me that the dev of this App is missing something important: he did not use a derivation fonction to create a secret key, he uses the user provided password directly as an encryption key. > So I guess it would be feasible to use a password cracker software like JtR to brute force the password / key and decrypt the string I have. > > Is that possible with JtR, if at all? A format for attacking this should be, potentially, very fast. I didn't look a lot into that link you gave but the tricky bit is likely to know when we made a correct guess. It goes like this: Try a candidate, decrypt some ciphertext, verify against some known plaintext (or plaintext-ish). If it's correct, we guessed the correct password. So, if we can identify some plaintext (such as a file magic) or plaintext-ish (such as json or xml and/or 100% UTF-8 or ASCII) we can hopefully write a format for this. magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.