eCryptfs

How to discover cipher of an encrypted FS

Asked by arcovia

Hi,

Is there any method of determining cipher used on an already encrypted FS? I'm attempting to access an encrypted FS stored on a USB device in another computer, and the only thing about I'm sure is the used password.

Thank's

Question information

Language:
English Edit question
Status:
Answered
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Dustin Kirkland  (kirkland) said : 		#1

Hmm, not that I know of. There is a small finite number. I would try
each in sequence, and mount with the ro (readonly) option just to be
safe. Good luck.

Revision history for this message
Ted_Smith (tedsmith28) said : 		#2

Yes

Choose any of the encrypted files and open one using a hex editor (or hexdump via command line).

Navigate to offset 0x001D (i.e. the 30th byte in from the start. It's the 29th strictly speaking as we count from zero). If the value is hexadecimal 07 (0x07), that means the AES cipher was used. AES is used by default as you may know.

If it's not 0x07, 9.2 of RFC2440 paper (http://tools.ietf.org/html/rfc2440) refers. e.g if Triple DES was used, you'd see 0x02 :

ID Algorithm
-- ---------
0 - Plaintext or unencrypted data
1 - IDEA [IDEA]
2 - Triple-DES (DES-EDE, as per spec -
              168 bit key derived from 192)
3 - CAST5 (128 bit key, as per RFC 2144)
4 - Blowfish (128 bit key, 16 rounds) [BLOWFISH]
5 - SAFER-SK128 (13 rounds) [SAFER]
6 - Reserved for DES/SK
7 - Reserved for AES with 128-bit key

Revision history for this message
Ted_Smith (tedsmith28) said : 		#3

PS - if you don't have a hex editor, I recommend Okteta! It's a superb GUI hex editor.

Can you help with this problem?

Provide an answer of your own, or ask arcovia for more information if necessary.

To post a message you must log in.