Re: [dm-crypt] Brute force aes-plain

[Arno Wagner <arno@wagner.name>]

Hi,

On Wed, May 16, 2012 at 07:03:40PM +0200, Kereoz wrote:
> Hi all,
> 
> Quick story:
> - are there any knows issues with plain dm-crypt volumes in Debian ? (Other than the
>   default changing from aes-cbc-plain to aes-cbc-essiv ?)

Not to my knowledge, no. The change is documented in FAQ item 8.1
(http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions(

> - anyone here tried bruteforcing aes-cbc-plain (I got a rather short key) ? 

Someone tried to brute-force an encoding issue a while back,
but that is not what you need.

> (Could you please CC me in the replies to this thread as I am not (yet ?) a
> subscriber of this mailing list).
> 
> Long story:
> I recently came back from a one year trip abroad, and got my hands back on an
> encrypted hard drive I left there. I was pretty sure I knew the key for this
> drive but after trying everything I could think about it is now sitting on my
> desk until I find a solution. 
> 
> I don't know for sure whether I forgot the key or I am using the wrong
> algorithm, as the version of cryptsetup I was using at the time was different
> (different Debian release) and I read the defaults have changed. I am fairly
> sure I used the '-c aes-plain' option initially but I had no luck with it. I
> also tried aes-cbc-essiv and had no luck either. Is there anything else I could
> try ?

You could just intsall that old release to be sure. Or maybe just
get the binary or source package and check that way. But AFAIK
Debian never changed anything from the package defaults, so these
two should be it.

> Now, in the case I just forgot the key, it wasn't very long anyway (~ 10
> characters) 

That is actually relativly long. 

> and I got some ideas about the characters it might contain.
> Considering that most chances are that the algorithm is aes-cbc-plain, it is
> probably possible. I tried writing a script for this, but there are several
> issues :
> - cryptsetup takes a while to create a devmapper mapping
> - trying to mount the partition also takes a while
> - cryptsetup then takes a while to delete the devmapper mapping
> When you put that together, it is definitely too slow to bruteforce anything.

Well, yes.

> Is there anything faster I could use here ? I assume the best solution would be
> to extract a couple of blocks from the hard drive, those containing the
> filesystem superblock, decrypt it and then try to match the filesystem magic
> number (reiser). 

Yes. There is a filesystem recognition linrary somewhere
(used by mount -t auto), that may also be helpful. 

> I don't know how to do the decryption part quick enough for a
> brute-force approch. Any suggestion would be appreciated.

Hmm. Use the password hashing from the c-sources of cryptsetup (it is a
bit more complicated than just direct hashing) and instead of doing
a mapping, use an external AES implementation (gcrypt, openssl, etc.)
to decrypt your test-data. Make sure to get the IV right. It should
be the sector number for "-plain".

I would suggest to make this work first with generated test-data. (New
volume, new FS, key e.g. "abc"), and when that works then try
it on you actual data. May take a few days of programming though.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell