Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CABh=JRG-G+Xt5YvoTFVpb7BSAHxd+s6EJtZh8Uuk8mmkSTAE2A@mail.gmail.com>
Date: Fri, 11 Jan 2013 00:06:39 +0200
From: Milen Rangelov <gat3way@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: npdf2john

Hello,

I was contacted by LastPass regarding that offline attack. To cut the long
story short, they were open and friendly and offered me to help with the
cryptography questions I had. They did not believe we do an offline attack
initially (they thought it was captured network traffic) so I explained
what we did. They also told me what is being employed in Windows (the
mysterious encrypted IE and Firefox stuff). So bad news, we're up to
something evil - DPAPI.

What really struck me as odd is that the encrypted xml on Android looks
very much like the sxml from Windows and I doubt that there is DPAPI
implementation for Java on Android. But then I am a noob in the Android
world, so who knows :)

So basically we have a real problem with that. DPAPI was reverse-engineered
and I need to read the paper, but from what I remember it is tied to the
local account's password in a way (a SHA1 hash of the password is applied
somehow from what I remember). So in the windows case, we would need the
local account password which makes it really hard to crack :(

If anyone is acquainted with how DPAPI works, details would be much
appreciated :)






On Thu, Jan 10, 2013 at 6:09 PM, shane Shane
<shane@...twareontheside.info>wrote:

> > Well unfortunately the mail address takes part into the key derivation
> process
>
> By default the last pass app remembers the email address so for most
> offline attacks this shouldn't be an issue. Also chances are the
> individuals phone has an email address or two on it that is most likely the
> email address used for their last pass account so even if the user has
> unchecked remember my email in the app you'd still have a good guess at the
> person's last pass email.
>
> Regards,
> Shane
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.