Bitcoin Forum
November 16, 2024, 08:59:46 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 [8] 9 10 11 12 13 14 »  All
  Print  
Author Topic: Solve a riddle, guess a 4 char password and add 10 BTC to your xmas... SOLVED!!  (Read 13658 times)
CIYAM (OP)
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
December 26, 2012, 11:56:53 AM
 #141

This is security by obscurity though. Once they know about your implementation it will be easily cracked.

Oh really - then why hasn't this been cracked already?

(the script in the OP is a simplified version of the one I will publish - btw you cannot run the script I will publish without first modifying it in order to hopefully stop someone being silly enough to run it without first modifying it as I modified the one being tested here)

If I can modify one line of a script and use a 4 letter password that no-one here has been able to crack already then I think that speaks for itself.

Smiley

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Scrat Acorns
Sr. Member
****
Offline Offline

Activity: 293
Merit: 250



View Profile
December 26, 2012, 11:58:40 AM
 #142

Oh really - then why hasn't this been cracked already?

First of all, you're implying that just because we haven't cracked it in 10 hours then it will never be cracked.

Secondly, we don't know the exact implementation of your key derivation function.
phr33
Full Member
***
Offline Offline

Activity: 226
Merit: 100


View Profile
December 26, 2012, 11:58:56 AM
 #143

You can send it to 1GAtPwoTGPQ35y9QugJueum5GzaEzLYjiQ

All winnings will be passed on to a followup contest! It might take a while, but there will be one!

On it's way:

http://blockchain.info/tx/003a4b9ee67639a08c28b9c183ab36f3b2fc192aeac84d9bd8cc29684f6f094e

I have a much better bash script that I am including with a custom Open SUSE distro (which I am still putting together) - that will be a hell of a lot more challenging than this to crack (the point being similar to Mike Caldwell's one that you don't need to remember a huge password to get good security).

Smiley


Thank you very much! You will be in the list of sources of the price for my upcoming challenge!

Could you please direct me to Mike Caldwell's statements? With a (light but still) background in information theory I'm rather skeptical to this statement. Entropy is a b-tch   Cool

My BTC input: 1GAtPwoTGPQ35y9QugJueum5GzaEzLYjiQ
My GPG ID: B0CCFD4A
phr33
Full Member
***
Offline Offline

Activity: 226
Merit: 100


View Profile
December 26, 2012, 12:00:30 PM
 #144


Oh really - then why hasn't this been cracked already?


The difference is that in the case we are cracking you haven't yet published the algorithm. One could say that the algorithm is a part of the key and it needs to be kept secret in order to not compromise security.

I recommend reading this: http://en.wikipedia.org/wiki/Security_by_obscurity

My BTC input: 1GAtPwoTGPQ35y9QugJueum5GzaEzLYjiQ
My GPG ID: B0CCFD4A
wachtwoord
Legendary
*
Offline Offline

Activity: 2338
Merit: 1136


View Profile
December 26, 2012, 12:01:32 PM
 #145

Mike's thread: https://bitcointalk.org/index.php?topic=128699.0
cedivad
Legendary
*
Offline Offline

Activity: 1176
Merit: 1001



View Profile
December 26, 2012, 12:02:07 PM
 #146

Oh really - then why hasn't this been cracked already?

We have the 15 millions permutations of the possible key, correct? We also have stuff that runs 10k tests per second.

I don't really understand why this wasn't cracked already. I must be missing something.

My anger against what is wrong in the Bitcoin community is productive:
Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)
Hashfast.org - Wiki for screwed customers
CIYAM (OP)
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
December 26, 2012, 12:04:30 PM
 #147

...we don't know the exact implementation of your key derivation function.

Why would you? The idea is that you have to change the script to create your *own* puzzle.

I understand that creating entropy is not easy (and I am certainly not trying to trivialise this problem) but I think it doesn't need to be nearly as hard as trying to remember huge passwords.

If I am wrong then you will be able to steal funds from CIYAM Open - I welcome the challenge!!!

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
K1773R
Legendary
*
Offline Offline

Activity: 1792
Merit: 1008


/dev/null


View Profile
December 26, 2012, 12:04:49 PM
 #148


yes, for opencl u have to change this
Code:
typedef struct {
        uint8_t length;
        uint8_t v[24];
} gpg_password;
change the 24 to 64 in both files (current folder and opencl).
now its working Smiley

Looks good!
I would still defiantly try that using a key with known password to make sure it really works Smiley
done, works for CPU and GPU implementation Smiley

[GPG Public Key]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
Scrat Acorns
Sr. Member
****
Offline Offline

Activity: 293
Merit: 250



View Profile
December 26, 2012, 12:06:30 PM
 #149

Why would you? The idea is that you have to change the script to create your *own* puzzle.

I understand that creating entropy is not easy (and I am certainly not trying to trivialise this problem) but I think it doesn't need to be nearly as hard as trying to remember huge passwords.

If your key derivation is secret then what you are essentially doing is using that as your password as well. Because to decrypt it you dont only have to remember your 4 chars, but you also have to remember the exact formula of the key derivation.
phr33
Full Member
***
Offline Offline

Activity: 226
Merit: 100


View Profile
December 26, 2012, 12:07:36 PM
 #150

...we don't know the exact implementation of your key derivation function.

Why would you? The idea is that you have to change the script to create your *own* puzzle.

I understand that creating entropy is not easy (and I am certainly not trying to trivialise this problem) but I think it doesn't need to be nearly as hard as trying to remember huge passwords.


Ok, but now you have to also remember the secret derivation function!

Yes - you can store it on your computer. But then you could also just have stored a better password to begin with!

If you make the derivation function public the security of your short password goes down the drain.

My BTC input: 1GAtPwoTGPQ35y9QugJueum5GzaEzLYjiQ
My GPG ID: B0CCFD4A
CIYAM (OP)
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
December 26, 2012, 12:08:09 PM
 #151

If your key derivation is secret then what you are essentially doing is using that as your password as well. Because to decrypt it you dont only have to remember your 4 chars, but you also have to remember the exact formula of the key derivation.

Very true - but it's rather easy to hide a mathematical equation (or something else) in some notes that wouldn't seem directly related to your bitcoins isn't it?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
CIYAM (OP)
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
December 26, 2012, 12:09:56 PM
 #152

Ok, but now you have to also remember the secret derivation function!

Yes - you can store it on your computer. But then you could also just have stored a better password to begin with!

If you make the derivation function public the security of your short password goes down the drain.

Of course - that is a very key point to the technique (although I have no need to write things like that down as I have a very good memory) - but so far you guys haven't been able to read my mind and I wasn't even trying with this one.

Cheesy

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
December 26, 2012, 12:11:36 PM
 #153

Python for the win!

Code:
import itertools
import hashlib

group = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'

for passw in list(itertools.product(group, repeat=4)) :
  pas = ''.join(passw)
  # Modify next line!
  final = "%s+%s=%s%s@L3AsT\n" % (pas, pas, pas, pas)
  m = hashlib.sha256()
  m.update(final)
  print  "%s" %(m.hexdigest())


Code:
$ time python run.py > dict.txt

real    0m37.305s
user    0m35.162s
sys     0m1.200s


F* ME! I wrote it in C and it's taking 1m 57s to generate the full 14776336 pwd set and I didn't even time it to disk as I planned to pipe it. Must be either openssl lib sha256 is pretty slow or I'm just being retarded with too much string copying and mickey mouse code.

CIYAM (OP)
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
December 26, 2012, 12:13:43 PM
 #154

The difference is that in the case we are cracking you haven't yet published the algorithm. One could say that the algorithm is a part of the key and it needs to be kept secret in order to not compromise security.

I recommend reading this: http://en.wikipedia.org/wiki/Security_by_obscurity

Nice link - and indeed the "salting algorithm" *needs* to be changed by the user (the *real* script literally won't hash a password for you unless you do modify it).

This technique (perhaps unlike Mike's) is only being aimed at those who are capable of using it (i.e. not for Gavin's grandma) although perhaps others can work out some ways to make this even easier for the less computer literate (am willing to set up a task on CIYAM Open and provide some funds if anyone is interested in taking this on).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
phr33
Full Member
***
Offline Offline

Activity: 226
Merit: 100


View Profile
December 26, 2012, 12:19:18 PM
 #155


F* ME! I wrote it in C and it's taking 1m 57s to generate the full 14776336 pwd set and I didn't even time it to disk as I planned to pipe it. Must be either openssl lib sha256 is pretty slow or I'm just being retarded with too much string copying and mickey mouse code.

I'll happely put it in bold:
Python for the win!  Cheesy

Kidding aside, it's generally a good idea to use as high level library functions as possible, e.g. in my case use itertools to create and iterate the list, rather than doing things manually. If you have a problem, you can bet someone already had a similar one, AND came up with a quicker solution than you would in 15 minutes   Cheesy

Python just happens to have a sh-t load of such libraries. Not only do you get up and running quickly. It also often runs quite fast. (I realize this is the wrong forum to make such a statement. I know Bitcoin mining is not quick enough on a python ref implementation Wink )

My BTC input: 1GAtPwoTGPQ35y9QugJueum5GzaEzLYjiQ
My GPG ID: B0CCFD4A
K1773R
Legendary
*
Offline Offline

Activity: 1792
Merit: 1008


/dev/null


View Profile
December 26, 2012, 12:22:15 PM
 #156


F* ME! I wrote it in C and it's taking 1m 57s to generate the full 14776336 pwd set and I didn't even time it to disk as I planned to pipe it. Must be either openssl lib sha256 is pretty slow or I'm just being retarded with too much string copying and mickey mouse code.

I'll happely put it in bold:
Python for the win!  Cheesy

Kidding aside, it's generally a good idea to use as high level library functions as possible, e.g. in my case use itertools to create and iterate the list, rather than doing things manually. If you have a problem, you can bet someone already had a similar one, AND came up with a quicker solution than you would in 15 minutes   Cheesy

Python just happens to have a sh-t load of such libraries. Not only do you get up and running quickly. It also often runs quite fast. (I realize this is the wrong forum to make such a statement. I know Bitcoin mining is not quick enough on a python ref implementation Wink )
my java + JNI (C) stuff was faster Tongue

my rule for levels: work at the API/level where u fully know what happens, never go deeper.

[GPG Public Key]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
phr33
Full Member
***
Offline Offline

Activity: 226
Merit: 100


View Profile
December 26, 2012, 12:31:14 PM
 #157


Nice link - and indeed the "salting algorithm" *needs* to be changed by the user (the *real* script literally won't hash a password for you unless you do modify it).

This technique (perhaps unlike Mike's) is only being aimed at those who are capable of using it (i.e. not for Gavin's grandma) although perhaps others can work out some ways to make this even easier for the less computer literate (am willing to set up a task on CIYAM Open and provide some funds if anyone is interested in taking this on).


To be picky the term "secret key derivation function" is probably more correct than "salting algorithm". This might look like salting, but actually isn't. I'm not going to link to wikipedia again, but there is some nice info on slating there as always.

To better illustrate that the derivation function is a part of the password is that you could of course select an "algorithm" that doesn't use any input. such as
Code:
echo "my_secret_123;

Here you add zero bits of entropy to get the key and the entire security lies in the secrecy of the function.

My BTC input: 1GAtPwoTGPQ35y9QugJueum5GzaEzLYjiQ
My GPG ID: B0CCFD4A
CIYAM (OP)
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
December 26, 2012, 12:34:24 PM
 #158

To be picky the term "secret key derivation function" is probably more correct than "salting algorithm". This might look like salting, but actually isn't. I'm not going to link to wikipedia again, but there is some nice info on slating there as always.

To better illustrate that the derivation function is a part of the password is that you could of course select an "algorithm" that doesn't use any input. such as
Code:
echo "my_secret_123;

Here you add zero bits of entropy to get the key and the entire security lies in the secrecy of the function.

Sorry for the poor terminology (I am actually far from being an encryption expert) but I am hoping that the point being that "it only takes a bit of creativity" to create a secure password is being made (rather than the "brainwallet - type in a very long and hard to remember password" approach).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Scrat Acorns
Sr. Member
****
Offline Offline

Activity: 293
Merit: 250



View Profile
December 26, 2012, 12:37:15 PM
Last edit: December 26, 2012, 01:22:02 PM by Scrat Acorns
 #159

Sorry for the poor terminology (I am actually far from being an encryption expert) but I am hoping the point being that "it only takes a bit of creativity" to create a secure password is being made (rather than the "brainwallet" approach).
I don't see how this is not a brainwallet too. It would be like creating an electrum 10 word passphrase, remembering only 4 of them and writing 6 of them down on a piece of paper.

You're just adding the entropy either way.

The difference is that you can easily calculate the entropy of a brainwallet. Your function however not so much. So you won't know how secure it is.
CIYAM (OP)
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
December 26, 2012, 12:39:30 PM
 #160

I don't see how this is not a brainwallet too. It would be like creating an electrum 10 word passphrase, remembering only 4 of them and writing 6 of them down on a piece of paper.

You're just adding the entropy either way.

It is indeed a "brainwallet" of sorts but I think it is a much better one - if I am so wrong then I would have thought that the 10 BTC would have already been moved by now.

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Pages: « 1 2 3 4 5 6 7 [8] 9 10 11 12 13 14 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!