New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support for DashLane user master passwords #1317

Open
roycewilliams opened this Issue Aug 10, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@roycewilliams
Contributor

roycewilliams commented Aug 10, 2017

Placeholder for DashLane non-cloud "user master password" support. Not sure yet if/how this is a candidate for hashcat.

Per this analysis, how the master password is used looks like this, but not yet sure how the master password itself is hashed:

Local access to User Data

Access to the user’s data requires using the User Master Password which is only known by the user. It
is used to generate the symmetric AES 256 bits key for ciphering and deciphering the user’s personal
data on the user’s device.

The user’s data ciphering and deciphering is performed using OpenSSL:

  • A 32 bytes salt is generated using the OpenSSL RAND_bytes function (ciphering) or reading it from the AES file (deciphering)
  • The User Master Password is used, with the salt, to generate the AES 256 bit key that will be used for (de)ciphering. This generation is performed using the OpenSSL PKCS5_PBKDF2_HMAC_SHA1 function, using more than 10000 iterations
  • The 32 bytes initialization vector is generated with OpenSSL EVP_BytesToKey function using SHA1
  • Then, the data is (de)ciphered using CBC mode.
  • When ciphering, the salt is written in the AES file

Update: I will try to set up a master password of 'hashcat' for testing.

Update 2: Beyond my current fu to trace where it's stored locally on Windows. Deferred for now.

@roycewilliams roycewilliams changed the title from support for DashLane to support for DashLane user master passwords Aug 10, 2017

@roycewilliams

This comment has been minimized.

Show comment
Hide comment
@roycewilliams

roycewilliams Aug 12, 2017

Contributor

Recent John the Ripper work is probably relevant:

magnumripper/JohnTheRipper#2658
magnumripper/JohnTheRipper#2659

Contributor

roycewilliams commented Aug 12, 2017

Recent John the Ripper work is probably relevant:

magnumripper/JohnTheRipper#2658
magnumripper/JohnTheRipper#2659

@roycewilliams

This comment has been minimized.

Show comment
Hide comment
@roycewilliams

roycewilliams Aug 18, 2017

Contributor

John the Ripper has a working implementation now, with sample data - see magnumripper/JohnTheRipper#2658

Contributor

roycewilliams commented Aug 18, 2017

John the Ripper has a working implementation now, with sample data - see magnumripper/JohnTheRipper#2658

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment