Posts: 38
Threads: 6
Joined: Jun 2017
Hey all, I've got a few friends who want to volunteer their GPU's for cracking.
If I just send them my output hash for an Ethereum wallet, for example -- can they reverse my wallet file?
They'll end up with the password, but not necessarily the wallet file to open the account. Of course they'll need the output hash for the wallet, but can they now have both and bypass me?
Posts: 2,267
Threads: 16
Joined: Feb 2013
01-20-2018, 10:58 PM
(This post was last modified: 01-20-2018, 11:07 PM by philsmd.)
In general (if we do not look at ethereum pre-sale) it's not always the case that only by having found the password corresponding to a certain hash you can access data of the owner of the hash (if no additional data is provided, e.g. like service the hash was extracted, user names/email etc...). therefore some hashes could be less sensitive
But there are some exceptions... and unfortunately ethereum pre-sale and some very few other algorithms (like encrypted and compressed 7-zip data - "hashes" - etc) are among those.
For the pre-sale algorithm we know that by having the raw seed you can generate the private key (see
https://github.com/tagawa/website/blob/f...ool.py#L53)... unfortunately the "hash" also needs to include the encseed which is used to verify if the password recovery is correct (ethpriv = sha3 (seed) vs the hash bkp = sha3 (aes_256_cbc_decrypt (pbkdf2 ($pass, $pass, 2000), $iv, $encseed) . "\x02") where the seed itself is just part of that calculation i.e. seed = aes_256_cbc_decrypt (pbkdf2 ($pass, $pass, 2000), $iv, $encseed)).
Therefore, in theory a ethereum pre-sale "hash" includes all the information that could be (mis)used to empty the wallet after the password was discovered/recovered.
Posts: 38
Threads: 6
Joined: Jun 2017
My god you're a smart man. Thanks for the knowledge.
I trudge on...
Posts: 2,267
Threads: 16
Joined: Feb 2013
This discussion would also be interesting here:
https://hashcat.net/forum/thread-6405-po...l#pid39256
Basically, if you can reveal at least the last 2 blocks (2*16 bytes = 32 bytes) of the encseed and you know the encseed length and ideally also the raw seed length (which might be always the same!), you could perform an attack on the padding bytes (PKCS#7) without even the need to reveal the seed, bkp, ethereum address etc (of course also without leaking the public and private keys)
Posts: 6
Threads: 0
Joined: Jan 2018