Forums Help & support Key-wrap issue Reply To: Key-wrap issue

#6529 Reply


Yes, the fix is in and will be released next week. Thanks! If you’d like I’ll be happy to give you 3 months Premium as a small bug bounty token of appreciation.

It’s an easy error to make. Apple made a similar mistake in iOS 10 when they inadvertently reduced the security of their backups by 2,500 times.

As you’re an open source project I’ll forego your offer of 3 months premium because you give your own time in developing AxCrypt. Thank you for the offer.

I and my colleagues will gladly help open source developers. With closed source software bugs I tend not to report them to the developers because of the differing laws across the world (and the rules on reverse engineering) and because they contribute nothing towards the community. There’s also a big monetary market in the forensics software community for closed source software bugs.

You should interpret the 50ms / full keywrap as being equivalent to targeting a cracking speed of 20 passwords / seconds in the target system


The target of 20 full keywraps / second is set so that in normal use and even on a much slower system (think mobile), it will still be fast to actually use for a user. We don’t want a multi-second delay to open a file for regular users.

I was thinking of mobile processors when I was looking at the key-wrap. It would be a small improvement (but neither essential or critical) to allow the user to modify the key-wrap within the UI. If simplicity is what AxCrypt is aiming for then maybe not.

With a national security level budget you could perhaps increase that by a factor a million, in which case a single crack will average a little under a million years. For the type of use AxCrypt is made for (private and commercial information security), we believe it’s reasonable.

The fastest supercomputers are capable of cracking at around 3 trillion passwords per seconds and attacks are only getting better. For private and commercial security the base iteration count of 5000 is reasonable as of June 2017 but once your updated version is released this will offer better security.