Once you select your password by way of Multibit’s person interface, the software program passes it as an argument to the PKCS5PasswordToBytes technique, which is a part of the Spongy Fortress library. This technique accepts the password as a char array and outputs it as a byte array. It’s later used to both encrypt or decrypt a .key file. Beneath, right here’s how the strategy is carried out within the PBEParametersGenerator.java file. Can you notice the bug?
public static byte[] PKCS5PasswordToBytes(
char[] password)
{
byte[] bytes = new byte[password.length];
for (int i = 0; i != bytes.size; i++)
{
bytes[i] = (byte)password[i];
}
return bytes;
}
In Java, the char sort is made up of two bytes; nonetheless, the code above assumes {that a} char is made up of just one byte! Thus, for every char processed within the loop, the low-order byte is stored whereas the high-order byte is discarded. Below the suitable circumstances, this could grow to be a difficulty.
Since Java depends on the UTF-16 BE charset, Multibit encodes the password as 20 AC when it’s entered within the person interface. When it’s transformed by way of the PKCS5PasswordToBytes technique, the high-order byte (20) is dropped whereas the low-order byte (AC) is stored.
In contrast to with our earlier instance, AC is just not the correct encoding for our password in any of the charsets above. As such, a password cracker could fail to decrypt the .key file even with the proper password.
What are your choices?
If you happen to haven’t executed so already, it’s best to attempt to unlock your pockets by way of Multibit Basic immediately. Sadly, this strategy rapidly turns into impractical in case you are not sure of your password and should sort in each guess. In such a case, you will want a password cracker.
You may keep away from the bug described on this article by utilizing the password cracker on a .pockets file as a substitute of a .key file. Whereas this strategy beats typing in each guess, it scales terribly because the .pockets file has a lot better safety in opposition to password crackers than the .key file. Furthermore, a few of these instruments have their very own set of character encoding points you need to be conscious of.
If you happen to use the password cracker on a .key file, they’re a number of workarounds for character encoding points, however they need to be evaluated on a case-by-case foundation and it’s outdoors the scope of this text. I encourage you to maintain doing all of your analysis or to contact me.
