Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <82CCBA1A-A573-4D19-B46B-19E1CD1D87C9@gmail.com>
Date: Wed, 31 Jul 2019 13:23:05 -0700
From: Eric Oyen <eric.oyen@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Question for experienced cryptographers

Actually, I used a small cluster of machines here with open_CL. The primary host is a Mac mini and I have 2 desktop machines with recent vintage Nvidia cards and loads of ram. I also incorporated 3 laptops into the mess. I know, it’s a hodge podge, but it works reasonably well under most circumstances. Basically, it’s a spare parts cluster. :_)

I tried with GaveGrohl on the Mac first, which gave me the clue as to how long it might take. Then I went on to use JTR for the actual cracking. I also setup a sample file with a number of password hashes of varying types. Some were easier to crack than others. The primary one I created has still not been cracked.

-Eric
From the Central offices of the Technomage Guild, cracking dept.

> On Jul 30, 2019, at 9:47 AM, Johny Krekan <krekan@...nykrekan.com> wrote:
> 
> Thanx for your post .
> What hardware did you use in your test where you wanted to crack your hash?
> Johny
>> 
>> Eric Oyen eric.oyen@...il.com
>> 30. 7. 2019 03:51
>> 
>> The fact of the matter is, AES with bit sizes greater than 256 is still 
> the 
>> best encryption standard there is.
>> As for the criminal enterprise involved:
>> Well, they may have made it rather difficult, but there is no such thing 
> as 
>> impossible.
>> Rule 1: there is no such thing as absolute security
>> Rule 2: if the same key and encryption gets used more than once, it’s 
> chances 
>> of being cracked go up a lot. (One time pads are still the most secure 
> methods)
>> Rule 3: some types of encryption can be broken with the use of large 
> cluster 
>> farms. Believe me, the NSA has one such up in Utah. Also, if there is any 
> kind 
>> of access to the program sources, There might be a solution gained from 
> that. 
>> Given the above, AES and 3DES are still the best methods to use.
>> Unfortunately, those two methods have one glaring security hole, you have 
> to 
>> share the key with your intended party and if you don’t have a way to 
> securely 
>> share it and someone else gets hold of it, well, there goes your security.
>> Now, RSA can use those two and because it uses a shared key system where 
> there 
>> are two keys (public and private), you can share the public key with 
> whomever 
>> you want. Only the intended recipient will be able to decrypt it, and they 
> have 
>> to use their own local passphrase to do it. I know, I use it here myself 
> and I 
>> have run JTR on one sample I created using 4096 bits encryption with a 
> 2048 bit 
>> key-space. So far, after more than a year of steady cracking, JTR has yet 
> to 
>> get it.
>> Now, one rule of encryption is this: depending on the value of information 
> over 
>> time, the longer it takes to crack, the lower the value of the information 
>> becomes. Information in todays world has a shelf life, and it’s an even 
> shorter 
>> one where criminals are concerned.
>> So, if the police in the countries mentioned can’t crack it, they can 
> always 
>> come to the NSA for help, or they can try the FSB in Russia. Either way, 
> they 
>> will have to admit they are way outside their ability on this one.
>> -Eric
>>> On Jul 30, 2019, at 2:59 AM, Johny Krekan <krekan@...nykrekan.com> wrote:
>>> 
>>> Hello, I would like to ask whether someone of you (for example 
>>> Solardesigner as a John author) could estimate what is the real security 
> of 
>>> an applications like Threema. The webpage states that encryption 
> mechanism 
>>> used by this software should be secure enough and there is no chance for 
>>> people to break and decrypt communication between persons which are 
> using 
>>> this software. What do you think what method could be used by agencyes 
> to 
>>> decrypt communication between criminals in Slovakia which are now bein 
>>> judged in most watched process in this time? The news stated that the 
>>> threema was used to encode their communication and then the news stated 
>>> that the communication was succesfully decrypted.
>>> I am looking to see your opinions about the security of such softwares.
>>> Nice day
>>> Johny Krekan

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.