tag:blogger.com,1999:blog-6644490640411457335.post8616880958886117218..comments2022-12-24T02:01:01.553-07:00Comments on Electric Alchemy: Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPRDChttp://www.blogger.com/profile/04707388475829589192noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-6644490640411457335.post-16712314911454543452011-01-01T07:28:27.317-07:002011-01-01T07:28:27.317-07:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-59337232430968272132010-02-27T21:53:17.444-07:002010-02-27T21:53:17.444-07:00Can you share the PGP Zip fix? I downloaded the l...Can you share the PGP Zip fix? I downloaded the latest EDPR and PGP Desktop, but when loading the PGP Zip file it says something about "file is not encrypted". Also, on my MBP 15" with 2.5Ghz dual core I'm only getting around 400 passwords per second when trying to brute force a PGP Disks. No where near what you guys are seeing (2 millions passwords/sec) against the PGP Zip file. I'm guess brute forcing PGP Zips are significantly faster than PGP WDE or Disk???Unknownhttps://www.blogger.com/profile/05265639682374759567noreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-39210140821084893292009-11-04T20:49:34.461-07:002009-11-04T20:49:34.461-07:00Thanks to all of you who had constructive feedback...Thanks to all of you who had constructive feedback and good questions. We have answered many of the questions in <a href="http://news.electricalchemy.net/2009/11/cracking-passwords-in-cloud-q.html" rel="nofollow">this post</a>.DChttps://www.blogger.com/profile/04707388475829589192noreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-10289772205264335512009-11-04T13:07:14.728-07:002009-11-04T13:07:14.728-07:00Great article. I'm curious if anyone could tel...Great article. I'm curious if anyone could tell me what hashing/encryption algorithm PGP Zip uses. Aka, how many rounds of MD5/SHA1 ect does it use to convert the user's password into the encryption key. That way I could estimate the cost to crack other hash types, (such as NTLM or WPA). Also, are the graphs on the results page created by attacking PGP Zip files as well? <br /><br />Finally, you almost never want to do a pure brute force attack. Using Markov models can drastically reduce the number of guesses you need to make even when performing a non-dictionary based attack. Some analysis that I did on the hotmail set, pure brute force vs. Markov models can be found here: http://reusablesec.blogspot.com/2009/10/analysis-of-10k-hotmail-passwords-even.htmlMatt Weirhttps://www.blogger.com/profile/16008062842047893999noreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-17600111030184325302009-11-04T08:15:22.440-07:002009-11-04T08:15:22.440-07:00Well, it may cost $8,784 to you, but not for gover...Well, it may cost $8,784 to you, but not for governments who may have dedicated clouds setup to accomplish exactly this task for them.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-25787674454051550392009-11-03T11:35:37.939-07:002009-11-03T11:35:37.939-07:00So, the machine cost is about $.30 * 24 hours * 10...So, the machine cost is about $.30 * 24 hours * 10 servers * 122 days = $8,784, but it will only succeed if the password is 8 characters or less and doesn't contain any punctuation. If it doesn't work, then you can throw another $500k of CPU time to try a 9 character password. A good article about how to use the tools, but you're not going to succeed against a good password.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-52940461118853262512009-11-03T11:05:13.623-07:002009-11-03T11:05:13.623-07:00I am curious if you got a reasonable return on inv...I am curious if you got a reasonable return on investment considering the cost of ec2. Can you say how much it ended up costing you in the end, or maybe the ratio of how much you charged the client vs ec2 costs?Anonymoushttps://www.blogger.com/profile/06151369512940297900noreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-48721574724316695622009-11-03T10:00:48.109-07:002009-11-03T10:00:48.109-07:00It's a pity that all of this is done using clo...It's a pity that all of this is done using closed-source programs / OSesAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-74921508469130498812009-11-03T07:21:26.232-07:002009-11-03T07:21:26.232-07:00first of all, thanks a lot for the interesting wri...first of all, thanks a lot for the interesting write-up!<br />Just being curious: decrypting a PGP encrypted file through bruteforce cracking the passphrase - does that mean you were in possession of the (passphrase protected) private key?<br />Or was the file encrypted using a symmetric key?<br />Decrypting a file using ONLY the passphrase contradicts my understanding on how PGP works...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-25145289644244574362009-11-03T07:04:38.358-07:002009-11-03T07:04:38.358-07:00So did you crack the password in the end? How long...So did you crack the password in the end? How long did it take? You've left us hanging here!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-6396064840490223902009-11-03T03:52:09.118-07:002009-11-03T03:52:09.118-07:00Awesome stuff. We've been doing similar stuff ...Awesome stuff. We've been doing similar stuff with wpa-psk and mpi as well as rtgen and rcrack on EC2/S3 for a while. If only Amazon would release EC2 units with dedicated GPUs, then we'd really be cooking.Infosec Updatehttp://news.mandalorian.comnoreply@blogger.comtag:blogger.com,1999:blog-6644490640411457335.post-13356329297673470512009-11-03T00:29:11.045-07:002009-11-03T00:29:11.045-07:00Sounds cool, a very interesting way to approach th...Sounds cool, a very interesting way to approach the computational problem of cracking passwords. Keep it up!Anonymousnoreply@blogger.com