New KDF

Question

New KDF

Banaanhangwagen opened this issue 2 months ago · comments

Since Phantom v24.9 Phantom changed the way the KDF is derived. The extracted vault mentions now scrypt instead of pbkdf.

Example of an extraction with password password :

{"encryptedKey":{"digest":"sha256","encrypted":"4q67Hurr6i5g3iC9i93qgevw1AHByfu4cB2hX7GGuGKGMwPazQ7eJu7PAfnYZaaCyD","iterations":10000,"kdf":"scrypt","nonce":"EokY5qjXKHXiGg6LuZYDtgLFP1dtYpLVM","salt":"HopKt4jDL62TD8i8d2gTTh"},"version":1}

I tried to change the code by simply using key = scrypt(password, salt, 32,16384,8,1), but that would be too easy, right ?

maybe someone has another idea ?

cyclone · Answer 1 · Sat Jun 01 2024 07:17:24 GMT+0800 (China Standard Time)

This is confirmed on Phantom v24.9.1. In order to decrypt these, phantom_decryptor logic will have to be rewritten to support scrypt. I'll look into this as time allows.

cyclone · Answer 2 · Tue Jun 04 2024 00:58:14 GMT+0800 (China Standard Time)

Added support to phantom_extractor so it can extract hashes from Phantom v24.9.x vaults. ef1c864

decipherBTC · Answer 3 · Wed Jul 03 2024 08:05:24 GMT+0800 (China Standard Time)

Hello, have you had any time to look into it? Anything you have already checked and a status would be nice! Ill try to work on this tomorrow. By the way, in your writeup on the decryptor for new vaults you say that you get a payload which you can use on the other json strings - but i dont get that payload? I only get a password.

cyclone · Answer 4 · Thu Jul 04 2024 00:01:21 GMT+0800 (China Standard Time)

Hello, have you had any time to look into it? Anything you have already checked and a status would be nice! Ill try to work on this tomorrow.

I've only briefly looked into this, but the v24.9.x vault appears similar to v24.6.x, but uses scrypt rather than pbkdf2 for the KDF.

By the way, in your writeup on the decryptor for new vaults you say that you get a payload which you can use on the other json strings - but i dont get that payload? I only get a password.

The phantom_decryptor tool only cracks the vault password on <= v24.6 which is the previous version. Decrypting the full payload on v24.6 vaults is a process described here: https://github.com/cyclone-github/writeups/blob/main/Pwning%20Phantom%20Wallets.pdf

cyclone · Answer 5 · Thu Jul 04 2024 06:08:03 GMT+0800 (China Standard Time)

For anyone else following along, here's the scrypt parameters found in Phantom v24.11 source code:
src/background/background.js
N=4096
r=8
p=1
dkLen=32

case "scrypt":
	return c.from(yield(0, i.scryptAsync)(e, t(s).decode(r.salt), {
		N: 4096,
		r: 8,
		p: 1,
		dkLen: u.secretbox.keyLength
	}));

Phantom source code (Chrome Extension):
https://gofile.io/d/YXhKek