Need less revealing *2john "hashes" for cryptocoin wallets & encrypted archives

[solardiz]

As discussed in #3130:

Ideally, we'd add a way to crack more of these things without such exposures, or mitigating the exposures at least partially. Password recovery for cryptocoin wallets is in demand and a lot of (most?) people who forgot their wallet passwords are not tech-savvy enough to use/tune JtR well, so I wish it were possible for more capable users of JtR to provide this as a service without such risks. (And right now it's risks even to whoever provides the service - they'd be suspected of theft even if they don't steal anything but someone else does, via whatever other means.)

When we use CBC padding to verify successful guesses, perhaps we only need two last blocks? Maybe we could encode only those two, and only decrypt the last one? That would also speed things up a little bit. Now, whether two last blocks of a private key are (enough to recover) the whole key or not will vary (what key size, public key cryptosystem, randomness) - we'd need to also look into this.

For formats where the CBC padding check wouldn't have been the only one, perhaps the corresponding *2john tool should estimate the chance of false positives resulting from making that check the only one - e.g., with 6+ bytes of padding the chance is probably low enough, and with 8+ negligible. The *2john tools can know this and report on it, or choose to output different things (and print different messages accordingly) depending on it.

[solardiz]

Dhiru implemented the "last two blocks only" idea for Bitcoin(-alike) wallets, however I now see there's much more we should do:

bitcoin2john.py currently encodes mkey (only last two blocks of it now), ckey, and public key. The corresponding format decodes all of these, but appears to make use of mkey only, where we only check the padding. Thus, we should drop encoding/decoding of ckey and public_key. This will also simplify the parsing of wallet.dat.

[solardiz]

I fully took care of this issue for bitcoin2john.py with #4156 and for the Bitcoin format with #4152.

[kost123]

Is multibit2john.py .key hashes safe to share?

Also I believe blockchain hashes are not safe to share as they reveal the guid(username) that people can then use and log in from the actual blockchain website.

[magnumripper]

I wouldn't know. As you probably understand you have to assume it's unsafe until someone explains how/why it is safe.

[kost123]

I think, although I'm not sure, that multibit2john.py .key only takes 2 aes blocks to decrypt, which should make it pretty safe to send, although I spoke to somebody else and they said about taking the last 2 blocks instead of the first two for whatever reason.

Care to input @philsmd ? you'd probably know