[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Recommendations GnuPG-2 replacement
From:       Dhiru Kholia <dhiru.kholia () gmail ! com>
Date:       2017-12-23 3:51:16
Message-ID: 20171223033916.GA10696 () lonestar
[Download RAW message or body]

On Fri, Dec 22, 2017 at 08:52:52PM +0100, Solar Designer wrote:
> On Sun, Dec 17, 2017 at 09:06:08AM +0000, halfdog wrote:
>
> > > You may process the private key file with gpg2john, then try to crack it
> > > with john.  This will output the actual value, as well as show you the
> > > speed at which passphrases can be tested against that key on your system
> > > and with that version of JtR.  To use a GPU, add "--format=gpg-opencl".
> > > Please use latest bleeding-jumbo off GitHub for all of this.
> >
> > Done that, but still fighting how to use "gpg2john" with the new
> > gpgv2 "private-keys-v1.d" key format. Exporting the private keys
> > using gpgv2 does not help as that requires the passphrase already,
> > thus removing the gpgv2-encryption, we want to test.
>
> I tried asking a JtR jumbo contributor to look into this, but
> unfortunately I got no response yet, and I had no time to look into it
> myself.  This is something we ought to have an answer to, but I
> currently don't.

Please see https://github.com/magnumripper/JohnTheRipper/issues/847 (Add
support for the new GPG 2.1 "format") regarding this topic.

To summarize,

* Currently, gpg2john does not understand the "private-keys-v1.d" key
  format.

* We have a very rough cracking implementation for "private-keys-v1.d"
  key format at the moment. See "filter.c" on that GitHub issue.

I can start working on a proper native cracking implementation (with GPU
support likely), if there is interest in this stuff.

--
Dhiru
[prev in list] [next in list] [prev in thread] [next in thread]