Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Sep 2021 12:36:56 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: brute forcing AES key

On 2021-09-10 20:55, p+password@...atpro.net wrote:
> On 10 Sep 2021, at 18:36, magnum <john.magnum@...hmail.com> wrote:
>> But if you post a couple of sample vaults and the passwords for them, I'll have a look at it sooner or later. One vault should be empty (just create it, don't add any wallet) and one should be populated with some mockup data.
> 
> Ok here we go:
> 
> Empty vault file name: emptyvault.cryptoSafe
> Empty vault file content: (one line, no trailing newline character) 62eIxonP+2mIsrhfIn0IzQ==
> Empty vault password: foobar
> 
> ETH vault file name: ETHkey.cryptoSafe
> ETH vault file content: (one line, no trailing newline character) RJ+YWtuyOoLnnOpOdmj43+hwO5cquMsSO3f/OiQfINofM+c0JVbIyUTQg3St+1Ue09QiZKlNnCAmlPHq2wuI31QoZQ/KNKZT/VMLd3qYbkOv873HT4wsYeavSwOqrdVdxpEimkqgdDkGP7XHfeFUCv6+jXFZioiR8jYrgxA8fDQQ5C+YReuvfiqLGaVrC9ih58X8Q7NLxAlQTGSQvHgsZI6DNfAsXw3Zt++fIJh9bdLzHDEBF/pLp47zj132UOYr6TuufnnA+HeUISdk+xH6/w==
> ETH vault password: foobar

This decrypts to (hex) : 6b6d3e3e3e3e3e3e3e3e3e3e3e3e3e3e. The padding 
is weird, should be 14 x 0e but it's 14 x 3e. Not sure why, it might be 
a bug showing up only with empty vaults (which aren't worth cracking 
anyway).

> Apparently the vault content is a concatenation of multiple informations: coin name, pub key, private key, seed and comment as shown on the last screen capture displayed on https://github.com/Anubis901/SafeCrypto . I can't find in the code any information regarding that storage :(
> Here are the info for the ETH vault:
> 
> ETH vault coin name: ETH
> ETH public key: 0x4ac97B48CbBF9D54AE1f07bF72b10F19eBE30BB1
> ETH private key: a5f54b647905db05a82d523fe0027a5da9760c2e97e4124448896f7333cdf96f
> ETH seed: (left blank)
> ETH vault comment: (left blank)

Decrypted hex: 6b4b12535f595e(...)3934227d5d07070707070707

As you can see we got expected padding this time: seven bytes of 07.

Plaintext: kKS_Y^~Q]U
udH","publicKey":"0x4ac97B48CbBF9D54AE1f07bF72b10F19eBE30BB1","privateKey":"a5f54b647905db05a82d523fe0027a5da9760c2e97e4124448896f7333cdf96f","seed":"","comment":"","id":"1631298033694"}]

We could look for that constant string "publicKey" within, say, the 
first two blocks of AES. But I sort of think we can trust the padding as 
long as the vault isn't completely empty - it's faster than scanning.

> thanks to 0 padding up to 32 chars, using password foobar in the app GUI gives the same result as foobar0000, foobar0000000000, foobar000000000000000, etc., this app is so nicely coded… :)

Yes, I noticed the iv is also 16 x ASCII "0" as opposed to null bytes.

I now opened https://github.com/openwall/john/issues/4804 for 
implementing this format.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.