Huge Problem with cryptoloop and AES: Lost Password
Lars Reimann
ive a huge problem: i have mission critical data on a 400 GB raid 1. (2x400). I encrypted a single partition spanning all disk space with the following setup:
losetup -e AES256 -C 500 /dev/loop0 /dev/md2
the filesystem of md2 was ext3 or ext2. ext2 most likely.
I stored my 20 character passwords on my palm device only (i know by now that this was stupid!). However, that one chrashed and apparently all data was lost, including passwords.
However, i may remember certain details of the password, for example which characters I used not, and how the password ends.
my first question if there is ANY way to recover the data. I heard about cryptoloop being weak, and if i could remember some more details about the password, it could be narrowed down to some characters. For example it begins with letter then a number...
Also, i would like to automate to try different passwords. Is there a program available which does such (brute force) things with the cryptoloop? however I may have to write it on my own if nothing is available. I heard it may be possible to extract some sectors of ext2/3 partitions which are always "zero". Then the decryption can be verified by using such sectors. Has anyone an idea which SECTORS this are on ext2/3 partitions and how to extract them?
My goal is to test the decryption on a faster system, maybe on a cluster system. But ANY IDEAS ARE WELCOME. I know the result set is big, but the data is really important...and i am prepared trying to recover it for a long time.
greeting,
L.R.
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
Dale Amon
out to a facility that does data recovery.
--
------------------------------------------------------
Wyoming Space and Information Systems
Dale Amon am...@vnl.com +44-7802-188325
We serve the New Space industry
------------------------------------------------------
markus reichelt
> my first question if there is ANY way to recover the data. I heard
> about cryptoloop being weak, and if i could remember some more
> details about the password, it could be narrowed down to some
> characters. For example it begins with letter then a number...
Without the password, chances are slim of recovering your data.
did you use a sole password or a pw protected gpg keyfile?
> Also, i would like to automate to try different passwords. Is there
> a program available which does such (brute force) things with the
> cryptoloop? however I may have to write it on my own if nothing is
> available. I heard it may be possible to extract some sectors of
> ext2/3 partitions which are always "zero". Then the decryption can
> be verified by using such sectors. Has anyone an idea which
> SECTORS this are on ext2/3 partitions and how to extract them?
known plaintext attack. possible, but you'd be better off cracking
the password bruteforce, given that you partially remember it.
modern fs are structured in a certain way so one knows which sectors
to seek out. if one knows the start of the fs / partition...
basically, it's about what Jari wrote here
http://marc.theaimsgroup.com/?l=linux-kernel&m=107419912024246&w=2
> My goal is to test the decryption on a faster system, maybe on a
> cluster system. But ANY IDEAS ARE WELCOME. I know the result set is
> big, but the data is really important...and i am prepared trying to
> recover it for a long time.
well, if you used a gpg encrypted keyfile (doesn't matter which
v-format version it was, really) ... have a look at nasty. it's a
bruteforce tool, http://www.vanheusden.com/nasty/
--
left blank, right bald
Christian Kujau
> ive a huge problem: i have mission critical data on a 400 GB raid 1. (2x400).
something you don't wanna hear right now, but still: "mission critical
data" always has a backup (and no, RAID is not a backup).
> lost, including passwords. However, i may remember certain details of the
> password, for example which characters I used not, and how the password ends.
How many characters do you know *for sure*? Even if there're still 10
unknown characters left and you're sure that you only uses alphanumeric
characters, perhaps a few special characters, the already suggested
brute-force attack might be worth (and interesting!) to try.
> may have to write it on my own if nothing is available. I heard it may be
> possible to extract some sectors of ext2/3 partitions which are always
filesystems often (always?) have "magic numbers" on the beginning:
$ file -s /dev/sda2
/dev/sda2: Linux rev 1.0 ext2 filesystem data
If you're sure it's an ext2 filesystem, then just look/compare other
ext2 filesystems. This magic number is documented in
include/linux/magic.h (here: 0xef53)
# head -1 /dev/sda2 | od -x | grep ef53
0002060 443e 455e 0003 0021 ef53 0001 0002 0000
good luck,
Christian.
--
BOFH excuse #59:
failed trials, system needs redesigned
Jari Ruusu
> I stored my 20 character passwords on my palm device only (i know by now
> that this was stupid!). However, that one chrashed and apparently all data
> was lost, including passwords. However, i may remember certain details of
> the password, for example which characters I used not, and how the
> password ends.
This won't help you now, but one way to handle lost/forgotten passphrases is
to use gpg encrypted key files where all key files are encrypted using both
employer's "recovery" public key and user's public key. Employer's
"recovery" public key can be distributed to everyone, and copies of private
keys physically locked in a safe. That way employer can recover user's data
even if user drops dead.
> Also, i would like to automate to try different passwords. Is there a
> program available which does such (brute force) things with the
> cryptoloop? however I may have to write it on my own if nothing is
> available. I heard it may be possible to extract some sectors of ext2/3
> partitions which are always "zero". Then the decryption can be verified by
> using such sectors. Has anyone an idea which SECTORS this are on ext2/3
> partitions and how to extract them?
First 16 bytes of fourth 512 byte sector are always zero on unencrypted ext2
and ext3 file systems.
This command shows you your ciphertext (in hex):
dd if=/dev/md2 bs=16 skip=96 count=1 2>/dev/null | od -An -tx1 -
And when you find a key that decrypts to (in hex):
03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Then you have found your key. That 03 number is the XOR of zero file system
data and sector number IV of fourth 512 byte sector.
If you used loop-AES version of losetup, as your losetup syntax seems to
imply, then you need to:
1) Compute hash #1 of your passphrase using SHA512, store first 256 bits as
'bulk_key'. Zero/CR/LF byte at the end of string NOT included in hash.
2) Compute hash #2 of your passphrase using SHA512, but bit 0 of first
passphrase byte inverted.
3) Encrypt first 128 bits of bulk_key, using first 256 bits of hash #2 as
AES256 key.
4) Encrypt second 128 bits of bulk_key, using first 256 bits of hash #2 as
AES256 key.
5) Exchange bytes bulk_key[8...15] with bulk_key[16...23]
6) Repeat steps 3...5 for total of 500000 times.
7) Decrypt your file system ciphertext using AES256 and bulk_key
8) Compare to known plaintext (03 00 .... 00 00). If it matches, then you
found your passphrase.
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
Lars Reimann
many thanks for the first feedback! I think it was very helpful,
especially the filesystem infos.
I ve some experience in programming and I think I will try to brute
force my way in as I know the filesystem.
I will keep you informed about my progress and I may ask some more
questions, but your help is already appreciated very much.
I know _for sure_ only 2 chars out of 20, but i have some more info on
the pattern. For example I used only letters and numbers and I am very
sure that i did not repeat any character more than twice for example.
and some chars i didn't use at all...
I think that information programmed into a brute force tool which tries
to find the described layout of the ext2 filesystem. It may take some
time to complete but i am confident.
Do you have any ideas on how to actually calculate the key. For example
should I create them on the fly as the programm is running or should I
precalculate them in a dictionary (filesize may be big as I dont know
how big the keyspace is ATM...)
Then there is the problem of pausing and resuming the brute force
search. For example if a machine crashes, recovery data which stores
already processed keys should be mandatory. I do not have an approach jet.
greetings,
l.r.
-