![Page 1: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/1.jpg)
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKINGPHDays V
Sylvain Pelissier, Roman KorkikianMay 26, 2015
![Page 2: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/2.jpg)
IN BRIEF
Password hashingPassword crackingeCryptfs presentationeCryptfs salting problemCorrectionQuestions
2
![Page 3: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/3.jpg)
PASSWORD HASHING
3
![Page 4: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/4.jpg)
PASSWORD CRACKING
From the hash recover the password value.
4
![Page 5: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/5.jpg)
BRUTEFORCE
1. Get the hash file /etc/shadow
2. For all possible password, compute H(password) until amatch is found in the file.
3. Output password
5
![Page 6: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/6.jpg)
PRE-COMPUTED DICTIONNARY ATTACK
1. Create a database of all (password,H(password)).2. To crack a given password hash, check if it is in the
database.3. Output the corresponding password
6
![Page 7: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/7.jpg)
RAINBOW TABLE ATTACK
Trade-off between computation and memory.
7
![Page 8: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/8.jpg)
SALTING
Compute H(salt||password) instead of H(password)and store both salt and hash.Make dictionary and rainbow table attacks much moredifficult but not bruteforce attack.Salting is used in most modern systems i.e Linux uses5000 iterations of SHA-512 with randomly generated salt.
8
![Page 9: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/9.jpg)
PASSWORD CRACKING
Well studied problem.Several optimized tools:
I John the ripper (www.openwall.com/john).I hashcat (hashcat.net/oclhashcat).
Password Hashing Competition (PHC) toselect new password hashing algorithms(password-hashing.net).Hashrunner contest
9
![Page 10: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/10.jpg)
ECRYPTFS
File encryption software (ecryptfs.org).Included in the Linux Kernel.Used for user home folder encryption byUbuntu.
10
![Page 11: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/11.jpg)
ECRYPTFS UTILS
11
![Page 12: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/12.jpg)
ECRYPTFS UTILS
1. During creation of the encrypted home folder, apassphrase (16 bytes by default) is randomly generated.
2. The passphrase is use for file encryption (AES by default).3. The passphrase is stored encrypted in the file:
/home/.ecrpytfs/$USER/.ecrpytfs/wrapped-passphrase
4. The process of passphrase encryption is called keywrapping.
12
![Page 13: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/13.jpg)
KEY WRAPPING
13
![Page 14: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/14.jpg)
KEY WRAPPING
14
![Page 15: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/15.jpg)
KEY WRAPPING
15
![Page 16: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/16.jpg)
KEY UNWRAPPING
16
![Page 17: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/17.jpg)
ECRYPTFS DEFAULT SALT
1. eCryptfs uses a salt for the key wrapping process.2. However, if not specified in the file ~/.ecryptfsrc, the
salt has always the same value (0x0011223344556677)for every installations.
3. If the whole home folder is encrypted then it is not possibleto use another salt value than default.
17
![Page 18: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/18.jpg)
ECRYPTFS
For simplicity, in Ubuntu, the wrappingpassword is directly the user password !
With the default salt, dictionary and rainbowtable attacks against the user password arefeasible with the wrapping key signature.
18
![Page 19: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/19.jpg)
JOHN THE RIPPER
eCryptfs signature cracking has been already implementedin John the ripper 1.8.0-jumbo:$ecryptfs$0$1$0011223344556677$21ff10301b5457e1
Python script ecryptfs2john.py exports the signature fromthe wrapped-passphrase file to John the ripper format.
19
![Page 20: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/20.jpg)
RESULTS
We computed a dictionary of key signatures of therockyou file (~14 millions passwords) for the defaultsalt.It took us one month on a standard computer.The dictionary can now be used to reverse asignature instantly.(Available at: https://github.com/kudelskisecurity)
20
![Page 21: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/21.jpg)
CORRECTION
Default salt problem has been alreadyreported in bug #906550.For our findings about Ubuntu, a new CVE#2014-9687 was opened and quickly fixedby eCryptfs developers.
21
![Page 22: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/22.jpg)
CORRECTION
New file format for wrapped-passphrase file starts with0x3a02.Salt is generated from /etc/urandom/ and stored in thesame file by defaultOld version files are automatically converted after theupdate.Hashing speed makes it a less attractive target now forpassword cracking.JTR Python script updated to crack new file format.
22
![Page 23: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/23.jpg)
CORRECTION
23
![Page 24: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/24.jpg)
CONCLUSION
As soon as password is used for otherfeatures it increases attack surface.New key derivation functions could be usedin eCryptfs:
I PBKDF2I PHC candidates
24
![Page 25: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/25.jpg)
25
![Page 26: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/26.jpg)
JOHN THE RIPPER
eCryptfs:$ ./john pass.txtLoaded 1 password hash (eCryptfs [65536x SHA-512])Will run 4 OpenMP threadsPress ’q’ or Ctrl-C to abort, almost any other key for statustest (?) 1g 0:00:00:01 DONE 2/3 (2015-03-11 16:04) 0.6666g/s149.3p/s 149.3c/s 149.3C/s lacrosse..topgunUse the "-show" option to display all of the cracked passwordsreliably Session completed
26
![Page 27: When file encryption helps password cracking - PHDays V$ ./john pass.txt Loaded 1 password hash (eCryptfs [65536x SHA-512]) Will run 4 OpenMP threads Press ’q’ or Ctrl-C to abort,](https://reader036.vdocuments.net/reader036/viewer/2022063004/5f7ac380d78235640f3bc0fb/html5/thumbnails/27.jpg)
JOHN THE RIPPER
Linux password:$ ./john pass.txtLoaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 64/64OpenSSL])Will run 4 OpenMP threadsPress ’q’ or Ctrl-C to abort, almost any other key for status0g 0:00:00:03 2/3 0g/s 1771p/s 1771c/s 1771C/s Sandy..MaydaySession aborted
27