Password encryption - cracking

[Peter88]

Hi,

From going though the source code of electrum I understand that when you choose password protection (not for the whole wallet), the seed and xprv are encrypted using AES256CBC. In summary, it takes  times a hash of the password and than it encrypts the full string.

Example
"xprv": "xprv9s21ZrQH143K4PFo8hZiVDXKuJeQHrvN6dqvpPMQYDXRnqYMPWQ4GQXYtebCKtF9gu1ses7NNVY 3VCECVgWYpVKziGzTyM3hrfGRKtSsxjF"
Encrypting with password 'test' gives
"xprv": "utyhIJlLf9oIUtc9vqOKS9R6b1KzM+u72Vn7PVoyLFHaRyzJ44zTWLF4RNmUScMHnA6ySJ/USljiOpUjp7lVcb6MR9GfLO1i6VK1iS4souwr/fqkpCHUWH7AXV0APjsa6C/Zpll0LgZ7x0RBv2+SQd54lNpX9XG0NUqbNzeA9tI="

Now, the part that I do not understand is how password crackers (like JTR) can find the password based on only the first 32 out of 128 bytes of this encrypted text. I believe the first 16 bytes are the IV. Are the next 16 bytes separately encrypted or is there some math trick to figure out if the encryption would work?  Any links that explain this would be highly appreciated! I would like to understand the security of the password usage.

[1715124871]

1715124871

[1715124871]

1715124871

[1715124871]

1715124871

[1715124871]

1715124871

[BitMaxz]

This is inside the wallet.dat? I don't see any method in forum that you can decode and get the password of xprv?
Also not safe to share your xprv code because i think it includes your seed phrase..

Just quoting this maybe it can help you to recover your wallet

1. Decode the base-64 into binary.
2. Remove the first 16 bytes, they are the IV. The rest is the cyphertext.
3. Derive the encryption key as sha256(sha256(convert_to_utf8(password))).
4. Decrypt they cyphertext with AES-256 in CBC mode using the key, IV, and cyphertext from above.
5. Remove the trailing PKCS7 padding.

This script will do so for you from a wallet file: https://github.com/gurnec/decrypt_electrum_seed

Another list of recovery methods are here https://github.com/gurnec/btcrecover

[Peter88]

Hi BitMaxz,

thanks for your reply. Let e begin with saying this is just an example private key and I did not loose my password. I am just trying to understand how the protection works. The part you quoted is indeed the correct way to decrypt the phrase with the password. My confusion is however how the cracking tools can detect the correct password by only taking the first 16 bytes of the phrase. (Since my assumption is that an encrypted text is compelely garbled and hence being able to detect the password from only 16bytes seems to be a shortcut in the security)