Erik Grinaker wrote: > Sorry for the late reply... > > On Sat, 2006-04-15 at 02:47 +0200, Christian Tschabuschnig wrote: >> i want to do a dictionary-attack on a revelation-password-file. do you >> know of any tools that attack a revelation-file directly or another way >> to do an automized attack? > > There are no tools for this, but the files can be brute-forced just like > any other encrypted file. Just use this script [1], and modify it to > loop over your dictionary and check if the decrypted data starts with > <?xml - if so, bingo, you just found the password. > > [1] http://oss.codepoet.no/pipermail/revelation-list/2004-August/000019.html > > (not sure if this works with the current file format, but I think it should) > > >> the password consists of substrings of a very few (about ten to twenty) >> known strings. so it should be possible to crack it in a reasonable >> amount of time with a program, right? > > If you only have a few hundred possible keys, then yeah, should be > doable in a few minutes.
You could write your script to first build a database of the encryption of the text <?xml using all the different passwords in your list. Then, you just need to do a binary search for the first few bytes of the encrypted text. > > > Remember kids: encryption places all security in the key, so make sure > you pick secure passwords. This information is available to anyone who > bothers to skim through the sourcecode. > > I should point out here that PBKDFv2 (or RFC2898 http://www.rfc-editor.org/rfc/rfc2898.txt) is designed to make this type of attack more difficult and computationally harder. Every password is first salted and then we iterate a hash function a bunch of times... John
