(02-04-2012, 04:04 AM)chort Wrote: Wow, that sounds depressing for RAR cracking. Perhaps there is a design weakness that could lead to a shortcut? I wish I knew something about cryptanalysis.
There are none. Practically speaking, only dictionary attacks and rule-based attacks with limited keyspace are applicable, bruteforce or markov are pure madness. Like I said, RAR without header encryption is even worse. I mentioned looking for heuristics to do an early check, but this failed because the RAR compression algorithm is awful. You can hope to cut off some false positives after at least 32 kilobytes of input data have been AES decrypted and decompressed. Frankly said, this is very bad for password recovery. The only hope would be some fast way to AES decrypt large (32K) blocks of data, but GPUs are not the right hardware for that. Perhaps using AES-NI instructions would make some difference, but my CPU does not support them. Thus, I have some archives that I crack at the "amazing" speed of ~ 100 c/s. Of course, the GPU would calculate the AES keys (based on password and sha1 transformations) much faster, even though it's hundreds thousands SHA1 operations, however password verification is so slow on host (cpu-side) just because you need to read at least 32KB of data, decrypt and decompress it. It just sucks.
Anyway, it could be worse. 7Zip password protection for example is real badass, it's twice as slow as RAR. Still haven't researched the 7z format in more details, but if it turns out they do the same as RAR does with -p mode archives, coding a 7zip cracker becomes a waste of time.