Discussion:
[john-users] CAST5 GPU cracking
c***@vfemail.net
2018-06-18 00:14:39 UTC
Permalink
I am trying to crack an old PGP key which is encrypted with CAST5.
What GPU works best for this purpose? I have not been able to find any
benchmarks. Should CAST5 scale like any other algorithms in general?

Thanks.


-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
Dhiru Kholia
2018-06-18 11:47:14 UTC
Permalink
I am trying to crack an old PGP key which is encrypted with CAST5. What GPU
works best for this purpose? I have not been able to find any benchmarks.
Should CAST5 scale like any other algorithms in general?
Number of CPUs also play an important part when cracking GPG keys on the GPUs.

$ ../run/john --test --format=gpg
Benchmarking: gpg, OpenPGP / GnuPG Secret Key [32/64]... (32xOMP) DONE
Speed for cost 1 (s2k-count) of 65536, cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) of 2, cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) of 3
Warning: "Many salts" test limited: 67/256
Many salts: 137216 c/s real, 4289 c/s virtual
Only one salt: 133829 c/s real, 4250 c/s virtual

$ OMP_NUM_THREADS=1 ../run/john --test --format=gpg-opencl
Warning: OpenMP is disabled; GPU may be under-utilized
Device 6: GeForce GTX TITAN X
Benchmarking: gpg-opencl, OpenPGP / GnuPG Secret Key [SHA1/SHA2 OpenCL]... DONE
Speed for cost 1 (s2k-count) of 65536, cost 2 (hash algorithm [2:SHA1 8:SHA256 10:SHA512]) of 2, cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) of 3
Warning: "Many salts" test limited: 34/256
Many salts: 835584 c/s real, 811246 c/s virtual, GPU util: 45%
Only one salt: 795105 c/s real, 765101 c/s virtual

$ ../run/john --test --format=gpg-opencl
Device 6: GeForce GTX TITAN X
Benchmarking: gpg-opencl, OpenPGP / GnuPG Secret Key [SHA1/SHA2 OpenCL]... (32xOMP) DONE
Speed for cost 1 (s2k-count) of 65536, cost 2 (hash algorithm [2:SHA1 8:SHA256 10:SHA512]) of 2, cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) of 3
Warning: "Many salts" test limited: 64/256
Many salts: 1572K c/s real, 505744 c/s virtual, GPU util: 85%
Only one salt: 1449K c/s real, 489859 c/s virtual

Use the latest, biggest, and fastest CPUs and (NVIDIA) GPUs you can ;)
--
Dhiru
c***@vfemail.net
2018-06-18 12:22:03 UTC
Permalink
Thank you. GPG --list-packets shows my key has having the following
line for its S2K configuration:
gnu-dummy S2K, algo: 0, simple checksum, hash: 0

Based on RFC4880 I think this is CAST5 with SHA1 but no iterations. Is
it possible to benchmark this with the --test option to John?
Post by Dhiru Kholia
I am trying to crack an old PGP key which is encrypted with CAST5. What GPU
works best for this purpose? I have not been able to find any benchmarks.
Should CAST5 scale like any other algorithms in general?
Number of CPUs also play an important part when cracking GPG keys on the GPUs.
$ ../run/john --test --format=gpg
Benchmarking: gpg, OpenPGP / GnuPG Secret Key [32/64]... (32xOMP) DONE
Speed for cost 1 (s2k-count) of 65536, cost 2 (hash algorithm [1:MD5
2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) of 2,
cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128
8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192
13:Camellia256]) of 3
Warning: "Many salts" test limited: 67/256
Many salts: 137216 c/s real, 4289 c/s virtual
Only one salt: 133829 c/s real, 4250 c/s virtual
$ OMP_NUM_THREADS=1 ../run/john --test --format=gpg-opencl
Warning: OpenMP is disabled; GPU may be under-utilized
Device 6: GeForce GTX TITAN X
Benchmarking: gpg-opencl, OpenPGP / GnuPG Secret Key [SHA1/SHA2 OpenCL]... DONE
Speed for cost 1 (s2k-count) of 65536, cost 2 (hash algorithm
[2:SHA1 8:SHA256 10:SHA512]) of 2, cost 3 (cipher algorithm [1:IDEA
2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish
11:Camellia128 12:Camellia192 13:Camellia256]) of 3
Warning: "Many salts" test limited: 34/256
Many salts: 835584 c/s real, 811246 c/s virtual, GPU util: 45%
Only one salt: 795105 c/s real, 765101 c/s virtual
$ ../run/john --test --format=gpg-opencl
Device 6: GeForce GTX TITAN X
Benchmarking: gpg-opencl, OpenPGP / GnuPG Secret Key [SHA1/SHA2 OpenCL]... (32xOMP) DONE
Speed for cost 1 (s2k-count) of 65536, cost 2 (hash algorithm
[2:SHA1 8:SHA256 10:SHA512]) of 2, cost 3 (cipher algorithm [1:IDEA
2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish
11:Camellia128 12:Camellia192 13:Camellia256]) of 3
Warning: "Many salts" test limited: 64/256
Many salts: 1572K c/s real, 505744 c/s virtual, GPU util: 85%
Only one salt: 1449K c/s real, 489859 c/s virtual
Use the latest, biggest, and fastest CPUs and (NVIDIA) GPUs you can ;)
--
Dhiru
-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
Solar Designer
2018-06-18 12:28:24 UTC
Permalink
Post by c***@vfemail.net
Thank you. GPG --list-packets shows my key has having the following
gnu-dummy S2K, algo: 0, simple checksum, hash: 0
Based on RFC4880 I think this is CAST5 with SHA1 but no iterations. Is
it possible to benchmark this with the --test option to John?
I wouldn't rely on that kind of analysis and benchmark. Please just try
running gpg2john and john on your key file, and let us know what happens.

Alexander
c***@vfemail.net
2018-06-18 18:59:05 UTC
Permalink
With a modern key when I check the gnupg packets I get
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt:
[masked for privacy]

And John runs like this:

./john priv
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 3932160 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384
10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128
8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192
13:Camellia256]) is 7 for all loaded hashes


With the old PGP key the packets are:
gnu-dummy S2K, algo: 0, simple checksum, hash: 0

Now I do get a nice long output with gpg2john, but I'm worried it is
not valid for such an old key. Is the old count really 65536? When I
run john I get this:

Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384
10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128
8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192
13:Camellia256]) is 3 for all loaded hashes

Is gpg2john tested with such old keys from 2000? Ideally I would
download an older PGP and run a test but it is hard to find such an
old version.

Thanks
Post by Solar Designer
Post by c***@vfemail.net
Thank you. GPG --list-packets shows my key has having the following
gnu-dummy S2K, algo: 0, simple checksum, hash: 0
Based on RFC4880 I think this is CAST5 with SHA1 but no iterations. Is
it possible to benchmark this with the --test option to John?
I wouldn't rely on that kind of analysis and benchmark. Please just try
running gpg2john and john on your key file, and let us know what happens.
Alexander
-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
Solar Designer
2018-06-18 19:11:37 UTC
Permalink
Post by c***@vfemail.net
Is the old count really 65536?
Yes, that's what old keys used (and many still do).
Post by c***@vfemail.net
Is gpg2john tested with such old keys from 2000?
I think so, but I'm not sure exactly with which versions of PGP/GnuPG.
Post by c***@vfemail.net
Ideally I would download an older PGP and run a test
Yes, you should.
Post by c***@vfemail.net
but it is hard to find such an old version.
No, it is not. PGP 2.6.3i* from mid to late 1990s:

http://www.spywarewarrior.com/uiuc/disastry/263multi.htm#download

GnuPG 1.2.0+ from 2002+:

https://www.gnupg.org/ftp/gcrypt/gnupg/

You might run into minor difficulties building these on a modern system,
though. You might end up needing to tweak them or building/running in a
VM with a similarly old system.

Alexander
c***@vfemail.net
2018-06-18 19:35:51 UTC
Permalink
Thank you again. I will have to set up version 5 for an ultimate test.
Now I am using 2.6.3.

It doesn't crack it -- maybe I am doing something wrong? The password
I used was 'test'.

C:\Users\Desktop\pgp>pgp -kg
No configuration file found.
Pretty Good Privacy(tm) 2.6.3ia-multi06 - Public-key encryption for the masses
(c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 2002-04-22
International version - for use everywhere (including USA).
Current time: 2018/06/18 19:30 GMT

PGP is now using IDEA with MD5.


Pick your RSA key size:
1) 512 bits- No security, should not be used
2) 768 bits- Low security, should not be used
3) 1024 bits- Good security, supported by all PGP-versions
4) 2047 bits- High security, supported since 2.6
5) 2048 bits- High security, supported since 2.6.3
6) 3172 bits- Higher security, not supported by many PGP-versions
7) 4096 bits- Very high security, not supported by many PGP-versions
Choose 1 - 7, or enter desired number of bits: 5

Generating an RSA key with a 2048-bit modulus.

You need a user ID for your public key. The desired form for this
user ID is your name, followed by your E-mail address enclosed in
<angle brackets>, if you have an E-mail address.
For example: John Q. Smith <***@compuserve.com>
Enter a user ID for your public key:
user
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>m = key expires in n months
<n>y = key expires in n years


You need a pass phrase to protect your RSA secret key.
Your pass phrase can be any sentence or phrase and may have many
words, spaces, punctuation, or any other printable characters.

Enter pass phrase:
Enter same pass phrase again:
Note that key generation is a lengthy process.

We need to generate 1976 random bits. This is done by measuring the
time intervals between your keystrokes. Please enter some random text
on your keyboard until you hear the beep:
0 * -Enough, thank you.
.......**** .............****
Pass phrase is good. Just a moment....
Key signature certificate added.
Key generation completed.

C:\Users\Desktop\pgp>pgp -a -kx user out.txt secring.pgp
No configuration file found.
Pretty Good Privacy(tm) 2.6.3ia-multi06 - Public-key encryption for the masses
(c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 2002-04-22
International version - for use everywhere (including USA).
Current time: 2018/06/18 19:31 GMT

PGP is now using IDEA with MD5.


Extracting from key ring: 'secring.pgp', userid "user".

Key for user ID: user
2048-bit key, key ID D92510BD, created 2018/06/18

Output file 'out.asc' already exists. Overwrite (y/N)? y

Transport armor file: out.asc

Key extracted to file 'out.asc'.

C:\Users\Desktop\pgp>type out.asc
Type Bits/KeyID Date User ID
sec 2048/D92510BD 2018/06/18 user

-----BEGIN PGP SECRET KEY BLOCK-----
Version: 2.6.3ia-multi06

lQOgA1soCDUAAAEIAKDesukffEAfwdSs6gRiSjiOfXrmkhstlrLr04Lw4dst5opQ
bP04EhDC/XyJKAv3U8RBN/hCUkoPynWJPoo8qmJYln/AvMbD7yF+ONWfdAYrrTJd
XGcWDgDepC4ovZNk3B+PKW2f+58ZGIhUGfJJ5KCX2EX2J2z4Lmaz1w8YYOnbPTht
PsZ+u15Pogoqj+uCia5/9iG/YIJIt61zsDRjG9pRWUCVy6gEQm6F/xHOof6ce/dL
e66tFJlymKiKUvMu/+bdgQgkK7WwoToPrUw+Y8JMf9XrTj0gNrPlmuXfB/kj1LUD
3rIG3cE+/yGw0WXQRcJo0NPHMJQIpGa4v9klEL0ABREBTCQpe33+8j0H/l6fXS/0
O7rWDnOlBSUXEuMRIFHQ1xYqH3GuiuuMh73xbHX00DtCEy/gVwRc09/Yy3oWjfoI
0vGVpqd38yMP6V2Rcrt+gs+8VQDvJJRuZLWuerLIkmkztMK+eVmTja67hg1YpLz8
/k7T2VA4rQJ/weomXK2jgHlgQbOgwJ9t8+xLHnJnqA3QmXT4v782KkyGZY/wn1Sk
blyW6lwBzBGAFSeHvaNe4besWtDU/unNvqZAJ/+QK0wIaee4Wx0UCirGoSN5d++y
wPuXD5OrYEZcT6SQk+FE1Nv1merRZB6ifwNHpORPNiPsenjGsZY+a19uLu5uerQT
CggZ1g3cmyyYWjwEAKKQUeG45V1i1pHbrIySA58ga7lyEBEjSMiBiLn+2eUII39p
7duw8KTpVod4pVbZn6h6xJK3S+isOg3E8dq6Ha5PEuJqsjyhtEfu8Moh8PP8aqxA
vrTngH8ljwTuqYru43M96WRZMhfj3XVAyKYkQSdhiI2TxiM4Pi4MhhFEZdQEBAA8
OK8Tmpa0AAHD/B8bf12P5vhu8UqM5xMBkJX6D4wlzJcza046kb11090B16ROSFOr
i6aMSQ62jcwjs2nZAwKBAEXRuuL7ZluxbBguVm4eQXP7UjD5yCurObyzDKfKMPns
KW8VsMXwWntnSBHUaV7lFiLELFJlGAEhF2GCZLbJfAP+uxMcsxMz/sQHRGEHhIgu
dlSPHemEkRoZa8Wl1hnjoNX78gwC0fd78f2ZhE/boXoQg6+M6Lbw2xdtHJNjLnqw
omiMTnvyL7HQ9hMY8O0fK8F+2meBkBSjhCznodfNkCHHqCYkAnKR81eKiFl9hQEd
+mmVKPTFdNS/fm7tcxYifx1SJ7QEdXNlcg==
=jcaF
-----END PGP SECRET KEY BLOCK-----



Then...

[ec2-user@ run]$ cat >newold.asc
-----BEGIN PGP SECRET KEY BLOCK-----
Version: 2.6.3ia-multi06

lQOgA1soCDUAAAEIAKDesukffEAfwdSs6gRiSjiOfXrmkhstlrLr04Lw4dst5opQ
bP04EhDC/XyJKAv3U8RBN/hCUkoPynWJPoo8qmJYln/AvMbD7yF+ONWfdAYrrTJd
XGcWDgDepC4ovZNk3B+PKW2f+58ZGIhUGfJJ5KCX2EX2J2z4Lmaz1w8YYOnbPTht
PsZ+u15Pogoqj+uCia5/9iG/YIJIt61zsDRjG9pRWUCVy6gEQm6F/xHOof6ce/dL
e66tFJlymKiKUvMu/+bdgQgkK7WwoToPrUw+Y8JMf9XrTj0gNrPlmuXfB/kj1LUD
3rIG3cE+/yGw0WXQRcJo0NPHMJQIpGa4v9klEL0ABREBTCQpe33+8j0H/l6fXS/0
O7rWDnOlBSUXEuMRIFHQ1xYqH3GuiuuMh73xbHX00DtCEy/gVwRc09/Yy3oWjfoI
0vGVpqd38yMP6V2Rcrt+gs+8VQDvJJRuZLWuerLIkmkztMK+eVmTja67hg1YpLz8
/k7T2VA4rQJ/weomXK2jgHlgQbOgwJ9t8+xLHnJnqA3QmXT4v782KkyGZY/wn1Sk
blyW6lwBzBGAFSeHvaNe4besWtDU/unNvqZAJ/+QK0wIaee4Wx0UCirGoSN5d++y
wPuXD5OrYEZcT6SQk+FE1Nv1merRZB6ifwNHpORPNiPsenjGsZY+a19uLu5uerQT
CggZ1g3cmyyYWjwEAKKQUeG45V1i1pHbrIySA58ga7lyEBEjSMiBiLn+2eUII39p
7duw8KTpVod4pVbZn6h6xJK3S+isOg3E8dq6Ha5PEuJqsjyhtEfu8Moh8PP8aqxA
vrTngH8ljwTuqYru43M96WRZMhfj3XVAyKYkQSdhiI2TxiM4Pi4MhhFEZdQEBAA8
OK8Tmpa0AAHD/B8bf12P5vhu8UqM5xMBkJX6D4wlzJcza046kb11090B16ROSFOr
i6aMSQ62jcwjs2nZAwKBAEXRuuL7ZluxbBguVm4eQXP7UjD5yCurObyzDKfKMPns
KW8VsMXwWntnSBHUaV7lFiLELFJlGAEhF2GCZLbJfAP+uxMcsxMz/sQHRGEHhIgu
dlSPHemEkRoZa8Wl1hnjoNX78gwC0fd78f2ZhE/boXoQg6+M6Lbw2xdtHJNjLnqw
omiMTnvyL7HQ9hMY8O0fK8F+2meBkBSjhCznodfNkCHHqCYkAnKR81eKiFl9hQEd
+mmVKPTFdNS/fm7tcxYifx1SJ7QEdXNlcg==
=jcaF
-----END PGP SECRET KEY BLOCK-----
[ec2-user@ run]$ ./gpg2john newold.asc

File newold.asc
user:$gpg$*1*650*2048*07fe5e9f5d2ff43bbad60e73a505251712e3112051d0d7162a1f71ae8aeb8c87bdf16c75f4d03b42132fe057045cd3dfd8cb7a168dfa08d2f195a6a777f3230fe95d9172bb7e82cfbc5500ef24946e64b5ae7ab2c8926933b4c2be7959938daebb860d58a4bcfcfe4ed3d95038ad027fc1ea265cada380796041b3a0c09f6df3ec4b1e7267a80dd09974f8bfbf362a4c86658ff09f54a46e5c96ea5c01cc1180152787bda35ee1b7ac5ad0d4fee9cdbea64027ff902b4c0869e7b85b1d140a2ac6a1237977efb2c0fb970f93ab60465c4fa49093e144d4dbf599ead1641ea27f0347a4e44f3623ec7a78c6b1963e6b5f6e2eee6e7ab4130a0819d60ddc9b2c985a3c0400a29051e1b8e55d62d691dbac8c92039f206bb97210112348c88188b9fed9e508237f69eddbb0f0a4e9568778a556d99fa87ac492b74be8ac3a0dc4f1daba1dae4f12e26ab23ca1b447eef0ca21f0f3fc6aac40beb4e7807f258f04eea98aeee3733de964593217e3dd7540c8a624412761888d93c623383e2e0c86114465d40404003c38af139a96b40001c3fc1f1b7f5d8fe6f86ef14a8ce713019095fa0f8c25cc97336b4e3a91bd75d3dd01d7a44e4853ab8ba68c490eb68dcc23b369d90302810045d1bae2fb665bb16c182e566e1e4173fb5230f9c82bab39bcb30ca7ca30f9ec29
6f15b0c5f05a7b674811d4695ee51622c42c526518012117618264b6c97c03febb131cb31333fec40744610784882e76548f1de984911a196bc5a5d619e3a0d5fbf20c02d1f77bf1fd99844fdba17a1083af8ce8b6f0db176d1c93632e7ab0a2688c4e7bf22fb1d0f61318f0ed1f2bc17eda67819014a3842ce7a1d7cd9021c7a82624027291f3578a88597d85011dfa699528f4c574d4bf7e6eed7316227f1d5227*0*1*0*1*8*4c24297b7dfef23d*0*0000000000000000*256*a0deb2e91f7c401fc1d4acea04624a388e7d7ae6921b2d96b2ebd382f0e1db2de68a506cfd381210c2fd7c89280bf753c44137f842524a0fca75893e8a3caa6258967fc0bcc6c3ef217e38d59f74062bad325d5c67160e00dea42e28bd9364dc1f8f296d9ffb9f1918885419f249e4a097d845f6276cf82e66b3d70f1860e9db3d386d3ec67ebb5e4fa20a2a8feb8289ae7ff621bf608248b7ad73b034631bda51594095cba804426e85ff11cea1fe9c7bf74b7baead14997298a88a52f32effe6dd8108242bb5b0a13a0fad4c3e63c24c7fd5eb4e3d2036b3e59ae5df07f923d4b503deb206ddc13eff21b0d165d045c268d0d3c7309408a466b8bfd92510bd:::user::newold.asc
[ec2-user@ run]$ cat >newold_out.txt
user:$gpg$*1*650*2048*07fe5e9f5d2ff43bbad60e73a505251712e3112051d0d7162a1f71ae8aeb8c87bdf16c75f4d03b42132fe057045cd3dfd8cb7a168dfa08d2f195a6a777f3230fe95d9172bb7e82cfbc5500ef24946e64b5ae7ab2c8926933b4c2be7959938daebb860d58a4bcfcfe4ed3d95038ad027fc1ea265cada380796041b3a0c09f6df3ec4b1e7267a80dd09974f8bfbf362a4c86658ff09f54a46e5c96ea5c01cc1180152787bda35ee1b7ac5ad0d4fee9cdbea64027ff902b4c0869e7b85b1d140a2ac6a1237977efb2c0fb970f93ab60465c4fa49093e144d4dbf599ead1641ea27f0347a4e44f3623ec7a78c6b1963e6b5f6e2eee6e7ab4130a0819d60ddc9b2c985a3c0400a29051e1b8e55d62d691dbac8c92039f206bb97210112348c88188b9fed9e508237f69eddbb0f0a4e9568778a556d99fa87ac492b74be8ac3a0dc4f1daba1dae4f12e26ab23ca1b447eef0ca21f0f3fc6aac40beb4e7807f258f04eea98aeee3733de964593217e3dd7540c8a624412761888d93c623383e2e0c86114465d40404003c38af139a96b40001c3fc1f1b7f5d8fe6f86ef14a8ce713019095fa0f8c25cc97336b4e3a91bd75d3dd01d7a44e4853ab8ba68c490eb68dcc23b369d90302810045d1bae2fb665bb16c182e566e1e4173fb5230f9c82bab39bcb30ca7ca30f9ec29
6f15b0c5f05a7b674811d4695ee51622c42c526518012117618264b6c97c03febb131cb31333fec40744610784882e76548f1de984911a196bc5a5d619e3a0d5fbf20c02d1f77bf1fd99844fdba17a1083af8ce8b6f0db176d1c93632e7ab0a2688c4e7bf22fb1d0f61318f0ed1f2bc17eda67819014a3842ce7a1d7cd9021c7a82624027291f3578a88597d85011dfa699528f4c574d4bf7e6eed7316227f1d5227*0*1*0*1*8*4c24297b7dfef23d*0*0000000000000000*256*a0deb2e91f7c401fc1d4acea04624a388e7d7ae6921b2d96b2ebd382f0e1db2de68a506cfd381210c2fd7c89280bf753c44137f842524a0fca75893e8a3caa6258967fc0bcc6c3ef217e38d59f74062bad325d5c67160e00dea42e28bd9364dc1f8f296d9ffb9f1918885419f249e4a097d845f6276cf82e66b3d70f1860e9db3d386d3ec67ebb5e4fa20a2a8feb8289ae7ff621bf608248b7ad73b034631bda51594095cba804426e85ff11cea1fe9c7bf74b7baead14997298a88a52f32effe6dd8108242bb5b0a13a0fad4c3e63c24c7fd5eb4e3d2036b3e59ae5df07f923d4b503deb206ddc13eff21b0d165d045c268d0d3c7309408a466b8bfd92510bd:::user::newold.asc
[ec2-user@ run]$ cat wordlist
test2
test
test3
[ec2-user@ run]$ ./john newold_out.txt --wordlist=wordlist
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 0 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384
10:SHA512 11:SHA224]) is 0 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128
8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192
13:Camellia256]) is 1 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2018-06-18 19:31) 0g/s 300.0p/s 300.0c/s 300.0C/s test3
Session completed
[ec2-user@ run]$ ./john --show newold_out.txt
0 password hashes cracked, 1 left
Post by Solar Designer
Post by c***@vfemail.net
Is the old count really 65536?
Yes, that's what old keys used (and many still do).
Post by c***@vfemail.net
Is gpg2john tested with such old keys from 2000?
I think so, but I'm not sure exactly with which versions of PGP/GnuPG.
Post by c***@vfemail.net
Ideally I would download an older PGP and run a test
Yes, you should.
Post by c***@vfemail.net
but it is hard to find such an old version.
http://www.spywarewarrior.com/uiuc/disastry/263multi.htm#download
https://www.gnupg.org/ftp/gcrypt/gnupg/
You might run into minor difficulties building these on a modern system,
though. You might end up needing to tweak them or building/running in a
VM with a similarly old system.
Alexander
-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
Solar Designer
2018-06-19 10:26:42 UTC
Permalink
Post by c***@vfemail.net
Now I am using 2.6.3.
I suggest that going forward you don't copy-paste this, but instead run
gpg2john with output redirected to the file:

./gpg2john newold.asc > newold_out.txt
Post by c***@vfemail.net
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384
10:SHA512 11:SHA224]) is 0 for all loaded hashes
Well, at least this is wrong (cost value not among the listed options)
and probably indicates we have a bug in there. However, the below fix
alone doesn't result in the password getting cracked.

$ git diff
diff --git a/src/gpg_common_plug.c b/src/gpg_common_plug.c
index 0cbfb36..c787f71 100644
--- a/src/gpg_common_plug.c
+++ b/src/gpg_common_plug.c
@@ -891,6 +891,8 @@ void *gpg_common_get_salt(char *ciphertext)
psalt->usage = atoi(p);
p = strtokm(NULL, "*");
psalt->hash_algorithm = atoi(p);
+ if (!psalt->hash_algorithm)
+ psalt->hash_algorithm = HASH_MD5;
p = strtokm(NULL, "*");
psalt->cipher_algorithm = atoi(p);
if (!psalt->symmetric_mode) {

Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 1 for all loaded hashes

So there's probably more for us to fix to support PGP keys this old.

Thanks,

Alexander
Dhiru Kholia
2018-06-19 10:59:44 UTC
Permalink
Post by Solar Designer
./gpg2john newold.asc > newold_out.txt
Post by c***@vfemail.net
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384
10:SHA512 11:SHA224]) is 0 for all loaded hashes
Well, at least this is wrong (cost value not among the listed options)
and probably indicates we have a bug in there.
So there's probably more for us to fix to support PGP keys this old.
On CentOS 7,

$ gpg --homedir . --s2k-cipher-algo idea --s2k-mode 0 \
--simple-sk-checksum --gen-key

$ pgpdump secring.gpg
...
Old: Secret Key Packet(tag 5)(931 bytes)
Ver 4 - new
Public key creation time - Tue Jun 19 15:04:57 IST 2018
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(2048 bits) - ...
RSA e(17 bits) - ...
Sym alg - IDEA(sym 1)
Simple string-to-key(s2k 0): Hash alg - SHA1(hash 2)
...

This is probably the oldest (and possibly weakest) GPG key type we support?

With your key,

$ pgpdump newold.asc
Old: Secret Key Packet(tag 5)(928 bytes)
Ver 3 - old
Public key creation time - Tue Jun 19 00:59:57 IST 2018
Valid days - 0[0 is forever]
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(2048 bits) - ...
RSA e(5 bits) - ...
Sym alg - IDEA(sym 1)
Simple string-to-key for IDEA
IV - 4c 24 29 7b 7d fe f2 3d
Encrypted RSA d(2046 bits) - ...
Encrypted RSA p(1024 bits) - ...
Encrypted RSA q(1024 bits) - ...
Encrypted RSA u(1022 bits) - ...
Checksum - 52 27

It seems that we don't support this (i.e. Simple string-to-key for
IDEA) S2K yet.

We might also run into a lot of false positives when cracking such
keys due to lack of a strong verifier / checksum.

Dhiru
c***@vfemail.net
2018-06-19 12:56:46 UTC
Permalink
Thanks a lot to both of you for your help. I see a github issue has
been opened already.
Post by Dhiru Kholia
Post by Solar Designer
./gpg2john newold.asc > newold_out.txt
Post by c***@vfemail.net
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384
10:SHA512 11:SHA224]) is 0 for all loaded hashes
Well, at least this is wrong (cost value not among the listed options)
and probably indicates we have a bug in there.
So there's probably more for us to fix to support PGP keys this old.
On CentOS 7,
$ gpg --homedir . --s2k-cipher-algo idea --s2k-mode 0 \
--simple-sk-checksum --gen-key
$ pgpdump secring.gpg
...
Old: Secret Key Packet(tag 5)(931 bytes)
Ver 4 - new
Public key creation time - Tue Jun 19 15:04:57 IST 2018
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(2048 bits) - ...
RSA e(17 bits) - ...
Sym alg - IDEA(sym 1)
Simple string-to-key(s2k 0): Hash alg - SHA1(hash 2)
...
This is probably the oldest (and possibly weakest) GPG key type we support?
With your key,
$ pgpdump newold.asc
Old: Secret Key Packet(tag 5)(928 bytes)
Ver 3 - old
Public key creation time - Tue Jun 19 00:59:57 IST 2018
Valid days - 0[0 is forever]
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(2048 bits) - ...
RSA e(5 bits) - ...
Sym alg - IDEA(sym 1)
Simple string-to-key for IDEA
IV - 4c 24 29 7b 7d fe f2 3d
Encrypted RSA d(2046 bits) - ...
Encrypted RSA p(1024 bits) - ...
Encrypted RSA q(1024 bits) - ...
Encrypted RSA u(1022 bits) - ...
Checksum - 52 27
It seems that we don't support this (i.e. Simple string-to-key for
IDEA) S2K yet.
We might also run into a lot of false positives when cracking such
keys due to lack of a strong verifier / checksum.
Dhiru
-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!

c***@vfemail.net
2018-06-18 20:13:52 UTC
Permalink
Just a quick followup. I was able to use PGP for Windows 6.5.2 to
generate a key which was just cracked with JtR.
So the way I am using it is ok. 2.6.3 doesn't work but 6.5.2 does.
Neither are the same S2K/etc. format as my year 2000 generated key. So
next I will try 5.
Posting this here in case it is helpful for anyone else.

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: PGP 6.5.2

lQHPBFsoASsRBADoCNpu43fmKunEva2dNC7DWpwL2V755dYdK7KI3KEAj5UnNU0m
GOM78forU0UnmQmAJ7d2/SuVJM9UU4KZBQJDocuSN+ItULHQ9IqFpb0/oXbxXP+C
WG/1CZIGTtnaGnxFhGY7IqWB+adK6BFWvbrCbivKf73+s1zgSEjRFLZ4YQCg/2Nv
5Km6xg27gvcW1RWWdQDzye8EALFc2evLUZ0KaFjsGuT9Fj6r6WX+43mVikDxWtAw
M3ZLpH8VSXE28OZJYJ8nlpsThB6kkoDid/sZQE38N6VoKoDyyYxXiRGJgl4EzXA/
t1/7czePfe0B2/2qVNoPMXL5axzpAzsvpHd+y63o4CjEwfAQa51mSageu68rSQKd
NKaxA/9SQ/ScRM7B4sMHsxBJfE3ngPvgImaaa0Xy2AT4p/QV7h2iAi9bcxt/LR8A
uZPg0qUYU60yXeVrvbKhHT2kJ04gz+IsOo+Vh1IbauJPf0/OojwSatVh5CPfQG7T
J8I3xFEi2etri9vtBLtId8cHq9Hqaj0kb8g9NFKuo3TbMBuy9/8DAwJG9qaRiYBa
JGAP9UgDRaDrjg9gOoW2ZGfWOctCBdsolM+D9ISDfr06N7QEdGVzdJ0CUQRbKAEu
EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstD
qZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryD
xUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSR
BzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGze
MyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1B
n5x8vYlLIhkmuquiXsNV6TILOwACAggA2vBCrejRWFOYxApdm3B9ybRQOyew1Sfv
qHA5Gfshz8oCISk7yjDaH3Biolk25W1FTnftVRDKYn2N93FZL1MkRIouUeR2AxyN
nwUsZwdhCvoUlsRMpTJCzrn9pXh2219oGBZZiyEZT2kAQ1D+JlBa5FWGnuYwn9z7
cBWWX0sH3KTK/F97/4uP99/MDiIi56AbkuB5HMVG2pj8fqx2D6JW3vc/o1GbkWVo
bBY/+Bbhl+Bc8flugug/QKAGBUbmEd1V5dN50qD9ylottyvtAiFcjW55kTmWlu4a
yTxvGaCekR7jHCVoEl2ANQNocc4vdLzwhlLcdqzJO4M8fBHmSKHRkf8DAwIVQc1B
ZRhjiWAOI548xW2DtsgFH+k0CaKxVkdRmO4cIXaxUm+OFAQg1auyHE5HODPJmpeh
b0hMRoiAeRLxijTn
=+oDo
-----END PGP PRIVATE KEY BLOCK-----


gpg --list-packets new2.txt
:secret key packet:
version 4, algo 17, created 1529348395, expires 0
skey[0]: [1024 bits]
skey[1]: [160 bits]
skey[2]: [1024 bits]
skey[3]: [1023 bits]
iter+salt S2K, algo: 3, simple checksum, hash: 2, salt:
46f6a69189805a24
protect count: 65536 (96)
protect IV: 0f f5 48 03 45 a0 eb 8e
encrypted stuff follows
keyid: 19C1F9904A8D108A
:user ID packet: "test"
:secret sub key packet:
version 4, algo 16, created 1529348398, expires 0
skey[0]: [2048 bits]
skey[1]: [2 bits]
skey[2]: [2048 bits]
iter+salt S2K, algo: 3, simple checksum, hash: 2, salt:
1541cd4165186389
protect count: 65536 (96)
protect IV: 0e 23 9e 3c c5 6d 83 b6
encrypted stuff follows
keyid: 6E03C76DC03D77CC

./gpg2john new2.txt

File new2.txt
test:$gpg$*17*24*1024*0f603a85b66467d639cb4205db2894cf83f484837ebd3a37*3*255*2*3*8*0ff5480345a0eb8e*65536*46f6a69189805a24*128*e808da6ee377e62ae9c4bdad9d342ec35a9c0bd95ef9e5d61d2bb288dca1008f9527354d2618e33bf1fa2b53452799098027b776fd2b9524cf54538299050243a1cb9237e22d50b1d0f48a85a5bd3fa176f15cff82586ff50992064ed9da1a7c4584663b22a581f9a74ae81156bdbac26e2bca7fbdfeb35ce04848d114b67861*20*ff636fe4a9bac60dbb82f716d515967500f3c9ef*128*b15cd9ebcb519d0a6858ec1ae4fd163eabe965fee379958a40f15ad03033764ba47f15497136f0e649609f27969b13841ea49280e277fb19404dfc37a5682a80f2c98c57891189825e04cd703fb75ffb73378f7ded01dbfdaa54da0f3172f96b1ce9033b2fa4777ecbade8e028c4c1f0106b9d6649a81ebbaf2b49029d34a6b1*128*5243f49c44cec1e2c307b310497c4de780fbe022669a6b45f2d804f8a7f415ee1da2022f5b731b7f2d1f00b993e0d2a51853ad325de56bbdb2a11d3da4274e20cfe22c3a8f9587521b6ae24f7f4fcea23c126ad561e423df406ed327c237c45122d9eb6b8bdbed04bb4877c707abd1ea6a3d246fc83d3452aea374db301bb2f7:::test::new2.txt


./john new2.out
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384
10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128
8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192
13:Camellia256]) is 3 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
test (test)
1g 0:00:00:00 DONE 1/3 (2018-06-18 20:09) 100.0g/s 100.0p/s 100.0c/s
100.0C/s test
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Post by Solar Designer
Post by c***@vfemail.net
Is the old count really 65536?
Yes, that's what old keys used (and many still do).
Post by c***@vfemail.net
Is gpg2john tested with such old keys from 2000?
I think so, but I'm not sure exactly with which versions of PGP/GnuPG.
Post by c***@vfemail.net
Ideally I would download an older PGP and run a test
Yes, you should.
Post by c***@vfemail.net
but it is hard to find such an old version.
http://www.spywarewarrior.com/uiuc/disastry/263multi.htm#download
https://www.gnupg.org/ftp/gcrypt/gnupg/
You might run into minor difficulties building these on a modern system,
though. You might end up needing to tweak them or building/running in a
VM with a similarly old system.
Alexander
-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
Dhiru Kholia
2018-06-18 12:38:20 UTC
Permalink
Thank you. GPG --list-packets shows my key has having the following line for
gnu-dummy S2K, algo: 0, simple checksum, hash: 0
Based on some Stack Exchange answers,

The file you're trying to import does not seem to contain the actual
private key, as indicated by this line in the output of gpg
--list-packets:

gnu-dummy S2K, algo: 3, SHA1 protection, hash: 2

...

Your key seems to be similar to [1] this file.

[1] https://salsa.debian.org/clint/hOpenPGP/blob/master/tests/data/gnu-dummy-s2k-101-secret-key.gpg

$ ../run/gpg2john gnu-dummy-s2k-101-secret-key.gpg

gnu-dummy-s2k-101-secret-key:$gpg$*1*0*2048**0*254*0*3*0**0*0000000000000000:::gnu-dummy-s2k-101-secret-key::gnu-dummy-s2k-101-secret-key.gpg

This doesn't look like crackable data.

Dhiru
Loading...