Erik Grinaker wrote:
> Sorry for the late reply...
> On Sat, 2006-04-15 at 02:47 +0200, Christian Tschabuschnig wrote:
>> i want to do a dictionary-attack on a revelation-password-file. do you
>> know of any tools that attack a revelation-file directly or another way
>> to do an automized attack?
> There are no tools for this, but the files can be brute-forced just like
> any other encrypted file. Just use this script , and modify it to
> loop over your dictionary and check if the decrypted data starts with
> <?xml - if so, bingo, you just found the password.
>  http://oss.codepoet.no/pipermail/revelation-list/2004-August/000019.html
> (not sure if this works with the current file format, but I think it should)
>> the password consists of substrings of a very few (about ten to twenty)
>> known strings. so it should be possible to crack it in a reasonable
>> amount of time with a program, right?
> If you only have a few hundred possible keys, then yeah, should be
> doable in a few minutes.
You could write your script to first build a database of the encryption
of the text <?xml using all the different passwords in your list. Then,
you just need to do a binary search for the first few bytes of the
> Remember kids: encryption places all security in the key, so make sure
> you pick secure passwords. This information is available to anyone who
> bothers to skim through the sourcecode.
I should point out here that PBKDFv2 (or RFC2898
http://www.rfc-editor.org/rfc/rfc2898.txt) is designed to make this type
of attack more difficult and computationally harder. Every password is
first salted and then we iterate a hash function a bunch of times...