[Cryptography] Norton Password Vault

Ersin Taskin hersintaskin at gmail.com
Wed Nov 21 04:58:06 EST 2018

On Mon, Nov 19, 2018 at 9:44 AM Kevin W. Wall <kevin.w.wall at gmail.com>

> A friend of mine who is a financial advisor just had one of his
> client's pass away. His client used Norton Anti-virus Password Vault
> to manage his all of his web passwords. (Not sure what version, if it
> matters.)
> I was wondering if anyone was aware of the details of the file format
> of the Norton Anti-virus Password Vault file. I know that it is using
> AES (I was told 256-bit), but don't know what cipher mode or padding
> scheme it is using. It probably is using some sort of PBE, but I have
> no idea what it is using for the password based key derivation
> function....whether it is PBKDFv2 or scrypt or bcrypt, etc. and even
> if I knew that, I wouldn't know what how to pull out any salt from the
> vault file.

I suspect it uses PBKDF2 for compliance purposes and historical timing. I
might provide better guesses if you tell me the version/date. My bet is it
may also use pepper. If this is the case getting the salt does not help. So
first check if it uses pepper. Pepper is a key unlike salt but for
convenience you use the same pepper for the users an the pepper is stored
plain text (mostly hex/Base64 coded)  in a config file (on the server side
most probably in this case). If this is the case you will have to contact
vendor for help which is a dead end. If the vault were a standalone low
profile program and pepper is stored locally (which is in conflict with the
real function of pepper but we see such cases) you have other options. You
still need to find the salt. If you find the salt AES 256 would be
beautifully cracked with dictionary attack (if you do not have the pepper
barrier). Good news: salt is plain, and next to the hashed password in most
cases. So salt is not a secret key like pepper. You should be able to find
it with some technical documentation of the product. If you can provide
more info, data, file I may try to help.

Do they know the username of the Vault as well? If not username attack
should be done before password attack. Does the version of the software
give different error messages for username mismatch and password mismatch?
I would not beleive it would. Nevertheless, usernames are vulnerable to
timing attacks. I suspect Norton might not apply the same timing-safe
algorithms to usernames like they do to passwords, which is very common.
Usernames are not as confidential as passwords. If they do not know the
username, implementing a timing attack on the username first is what I
would do.

You may check this page to understand the most probable scheme used if it
uses PBKDF2 (with pepper option).
page may give insight helping you design your code/strategy.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181121/8cb510d8/attachment.html>

More information about the cryptography mailing list