Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANWtx02kaKkifRvo053ExwcnKV=jaASd=V3Y6x2y8hQQzr+rjg@mail.gmail.com>
Date: Tue, 8 Apr 2014 13:46:12 -0400
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Secure Mode for John

On Tue, Apr 8, 2014 at 10:14 AM, Rich Rumble <richrumble@...il.com> wrote:

>
> On Sun, Mar 2, 2014 at 8:51 PM, Mark Butler <markb@....ibm.com> wrote:
>
>> > A first try is now committed to bleeding-jumbo. Enable by setting
>> > SecureMode=Y in john.conf.
>>
> I like this mode, however, what could be done about sharing the hashes
> when you have to distribute, but you do not want the hashes to work if this
> JtR mode isn't enabled?
> This would require a bit of effort, and I'm just spit-balling, but could
> GPG be used to encrypt the hashes I want to distribute, and be decrypted in
> memory (using some --pub-key option) so that they can then be tried in JtR?
>

My first post wasn't that well thought out, if you have the key and the
(encrypted)hashes, it's trivial to decrypt, you'd need a "secret" method of
doing the key exchange, something more like the way SSL/TLS do with PFS.

I think something like Perfect Forward Secrecy may solve the issue better,
but that could be an entire architecture in of itself I guess, some kind of
client/server setup.The simplest method I guess would be for *john* to
ssh/scp etc to a server and just keep the hashes in memory, and try not to
write them to disk, but rather write them to the remote end. This all
probably makes more sense as an add-on rather than inside JtR itself. There
may be functions, similar to secure-mode or additions to secure-mode, that
make more sense. and that the 3rd party script/binary can use with John. It
makes more sense as an add-on, instead of john including a full blown FHMQV
client/server mechanism or what have you.

The end goal is to be able to have collaborators you don't trust to help
with the load. Perhaps something like this for the next CMIYC, some kind of
wrapper that makes the most of a given resource and can be CnC'd from a
central server. Excuse my ramblings :)
-rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.