search

openwall / john

John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs
https://www.openwall.com/john/
Other
10.14k stars 2.08k forks source link

JtR's "dashlane" format (2017) needs updating to reflect Dashlane's revised hashing procedure #4827

Open marshallwelch opened 3 years ago

marshallwelch commented 3 years ago

🥇👍

Original JTR Dashlane format created here: Add support for Dashlane password manager #2658

The JtR "--format=dashlane" no longer accurately reflects Dashlane's current hashing procedure as described in this revised Dashlane Security Whitepaper-March 2021. Consequently JtR's --format=dashlane can no longer successfully be used to match Dashlane's revised hash format.

When the format was developed in 2017, Dashlane used OpenSSL’s PKCS5 PBKDF2 HMAC1 function with 10204 iterations with the indicated salt to produce a derived key, yielding a SHA-1 format hash.

Now according to the whitepaper, Dashlane has switched from PBKDF2 to Argon2d:

"The User Master Password is used, with the salt, to generate the AES 256-bit key that will be used for (en|de)cryption. We use Argon2d, by default, with the following parameters: iterations = 3, memory = 32Mo, parallelization = 2. We also support PBKDF2-SHA2 with 200,000 iterations."

I'm hoping to get some help revising this JtR format to support Dashlane's current hashing procedure.

Attach details about your OS and about john, including:

magnumripper commented 3 years ago

We should start with #4821 and then we need some new test vectors for continuing with the format.

kholia commented 3 years ago

New Dashlane Backup test vector is attached below. This was created by Dashlane Version 6.2134.0 in September, 2021.

Dashlane Export 2021.dash.txt

Surprisingly, there is no KWC* string present in this newer backup version.

However, it has the $1$argon2d$16$3$32768$2$aes256$cbchmac$16$...(big string here) string present in it. We just need to figure out the format of this entire string, and how the various parts work together.

It would be nice to get a sample for the newer KWC6 style .dash or .aes file.

Note: The old test vectors can be found in the https://github.com/openwall/john/issues/2658 ticket.

marshallwelch commented 3 years ago

I could share the original .aes privately/direct. Here is the "dashlane2john" output from scanning that .aes. (I patched this output by changing v=1, len(aes_data)=220, and stripping the first 4 bytes ("KWC6") from the head of the hash, then john loads it correctly - but can't crack it bc the hash procedure was revised.)

mydash2.txt

Thanks for looking at this with me.

kholia commented 3 years ago

Thanks. I would like to have a copy of this .aes file (hopefully it doesn't have any sensitive real data!). My email address is dhiru.kholia [at] gmail.com.

magnumripper commented 3 years ago

Please also submit test file(s) to https://github.com/openwall/john-samples if possible. They are invaluable when revisiting code a few years later... Thanks for working on this!