[dm-crypt] Brute force aes-plain

[dm-crypt] Brute force aes-plain

[Kereoz]

Hi all,

Quick story:
- are there any knows issues with plain dm-crypt volumes in Debian ? (Other than the
  default changing from aes-cbc-plain to aes-cbc-essiv ?)
- anyone here tried bruteforcing aes-cbc-plain (I got a rather short key) ? 

(Could you please CC me in the replies to this thread as I am not (yet ?) a
subscriber of this mailing list).

Long story:
I recently came back from a one year trip abroad, and got my hands back on an
encrypted hard drive I left there. I was pretty sure I knew the key for this
drive but after trying everything I could think about it is now sitting on my
desk until I find a solution. 

I don't know for sure whether I forgot the key or I am using the wrong
algorithm, as the version of cryptsetup I was using at the time was different
(different Debian release) and I read the defaults have changed. I am fairly
sure I used the '-c aes-plain' option initially but I had no luck with it. I
also tried aes-cbc-essiv and had no luck either. Is there anything else I could
try ?

Now, in the case I just forgot the key, it wasn't very long anyway (~ 10
characters) and I got some ideas about the characters it might contain.
Considering that most chances are that the algorithm is aes-cbc-plain, it is
probably possible. I tried writing a script for this, but there are several
issues :
- cryptsetup takes a while to create a devmapper mapping
- trying to mount the partition also takes a while
- cryptsetup then takes a while to delete the devmapper mapping

When you put that together, it is definitely too slow to bruteforce anything.

Is there anything faster I could use here ? I assume the best solution would be
to extract a couple of blocks from the hard drive, those containing the
filesystem superblock, decrypt it and then try to match the filesystem magic
number (reiser). I don't know how to do the decryption part quick enough for a
brute-force approch. Any suggestion would be appreciated.

Regards,
Kereoz

Re: [dm-crypt] Brute force aes-plain

[Arno Wagner]

Hi,

On Wed, May 16, 2012 at 07:03:40PM +0200, Kereoz wrote:
> Hi all,
> 
> Quick story:
> - are there any knows issues with plain dm-crypt volumes in Debian ? (Other than the
>   default changing from aes-cbc-plain to aes-cbc-essiv ?)

Not to my knowledge, no. The change is documented in FAQ item 8.1
(http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions(

> - anyone here tried bruteforcing aes-cbc-plain (I got a rather short key) ? 

Someone tried to brute-force an encoding issue a while back,
but that is not what you need.

> (Could you please CC me in the replies to this thread as I am not (yet ?) a
> subscriber of this mailing list).
> 
> Long story:
> I recently came back from a one year trip abroad, and got my hands back on an
> encrypted hard drive I left there. I was pretty sure I knew the key for this
> drive but after trying everything I could think about it is now sitting on my
> desk until I find a solution. 
> 
> I don't know for sure whether I forgot the key or I am using the wrong
> algorithm, as the version of cryptsetup I was using at the time was different
> (different Debian release) and I read the defaults have changed. I am fairly
> sure I used the '-c aes-plain' option initially but I had no luck with it. I
> also tried aes-cbc-essiv and had no luck either. Is there anything else I could
> try ?

You could just intsall that old release to be sure. Or maybe just
get the binary or source package and check that way. But AFAIK
Debian never changed anything from the package defaults, so these
two should be it.

> Now, in the case I just forgot the key, it wasn't very long anyway (~ 10
> characters) 

That is actually relativly long. 

> and I got some ideas about the characters it might contain.
> Considering that most chances are that the algorithm is aes-cbc-plain, it is
> probably possible. I tried writing a script for this, but there are several
> issues :
> - cryptsetup takes a while to create a devmapper mapping
> - trying to mount the partition also takes a while
> - cryptsetup then takes a while to delete the devmapper mapping
> When you put that together, it is definitely too slow to bruteforce anything.

Well, yes.

> Is there anything faster I could use here ? I assume the best solution would be
> to extract a couple of blocks from the hard drive, those containing the
> filesystem superblock, decrypt it and then try to match the filesystem magic
> number (reiser). 

Yes. There is a filesystem recognition linrary somewhere
(used by mount -t auto), that may also be helpful. 

> I don't know how to do the decryption part quick enough for a
> brute-force approch. Any suggestion would be appreciated.

Hmm. Use the password hashing from the c-sources of cryptsetup (it is a
bit more complicated than just direct hashing) and instead of doing
a mapping, use an external AES implementation (gcrypt, openssl, etc.)
to decrypt your test-data. Make sure to get the IV right. It should
be the sector number for "-plain".

I would suggest to make this work first with generated test-data. (New
volume, new FS, key e.g. "abc"), and when that works then try
it on you actual data. May take a few days of programming though.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 

Re: [dm-crypt] Brute force aes-plain

[Kereoz]

On Thu, May 17, 2012 at 09:27:28AM +0200, Arno Wagner wrote:
> Hi,

Hi,

> > I don't know for sure whether I forgot the key or I am using the wrong
> > algorithm, as the version of cryptsetup I was using at the time was different
> > (different Debian release) and I read the defaults have changed. I am fairly
> > sure I used the '-c aes-plain' option initially but I had no luck with it. I
> > also tried aes-cbc-essiv and had no luck either. Is there anything else I could
> > try ?
> 
> You could just intsall that old release to be sure. Or maybe just
> get the binary or source package and check that way. But AFAIK
> Debian never changed anything from the package defaults, so these
> two should be it.

I'll give it a go just in case (probably using the Debian snapshots to make sure
I reproduce the same behavior may it be different).
 
> > Is there anything faster I could use here ? I assume the best solution would be
> > to extract a couple of blocks from the hard drive, those containing the
> > filesystem superblock, decrypt it and then try to match the filesystem magic
> > number (reiser). 
> 
> Yes. There is a filesystem recognition linrary somewhere
> (used by mount -t auto), that may also be helpful. 

Good to know, I'll check this out. Reiser is fairly easy to recognize though (as
you can just grep the "reiser" string).
 
> > I don't know how to do the decryption part quick enough for a
> > brute-force approch. Any suggestion would be appreciated.
> 
> Hmm. Use the password hashing from the c-sources of cryptsetup (it is a
> bit more complicated than just direct hashing) and instead of doing
> a mapping, use an external AES implementation (gcrypt, openssl, etc.)
> to decrypt your test-data. Make sure to get the IV right. It should
> be the sector number for "-plain".

Perfect, this is exactly what I needed to know.
 
> I would suggest to make this work first with generated test-data. (New
> volume, new FS, key e.g. "abc"), and when that works then try
> it on you actual data. May take a few days of programming though.

I'll have a look when I have some time and will let the list know if I get it to
work.

Thank you for your answer.
-- 
Kereoz