Erik Grinaker wrote:
> Sorry for the late reply...
> On Sat, 2006-04-15 at 02:47 +0200, Christian Tschabuschnig wrote:
>> i want to do a dictionary-attack on a revelation-password-file. do you 
>> know of any tools that attack a revelation-file directly or another way 
>> to do an automized attack?
> There are no tools for this, but the files can be brute-forced just like
> any other encrypted file. Just use this script [1], and modify it to
> loop over your dictionary and check if the decrypted data starts with
> <?xml - if so, bingo, you just found the password.
> [1]
> (not sure if this works with the current file format, but I think it should)
>> the password consists of substrings of a very few (about ten to twenty) 
>> known strings. so it should be possible to crack it in a reasonable 
>> amount of time with a program, right?
> If you only have a few hundred possible keys, then yeah, should be
> doable in a few minutes.

You could write your script to first build a database of the encryption
of the text <?xml using all the different passwords in your list.  Then,
you just need to do a binary search for the first few bytes of the
encrypted text.

> Remember kids: encryption places all security in the key, so make sure
> you pick secure passwords. This information is available to anyone who
> bothers to skim through the sourcecode.

I should point out here that PBKDFv2 (or RFC2898 is designed to make this type
of attack more difficult and computationally harder.  Every password is
first salted and then we iterate a hash function a bunch of times...


Reply via email to