Enclosed is PIN you can use to open the front door via the keypad.
A few years ago, I wrote a nice newbie's guide to GNU Privacy Guard, a
free public key cryptosystem. (Google for mirrors if you want it--my
web site has been down since January.) :^)
Anyway, I've gotten some interesting feedback over the years, but this one that I got today really takes the cake.
Suggestions for how to respond, anyone?
I am using GnuPG for encrypting text files to send to [entity].
Attached are two encrypted versions of the same file: one was done on April 25th, and the other was done today. As you can see, the one done today is not a valid encrypted file.
I have also included the original clear text file.
Do you have any suggestions as to why this is occurring? I would very much appreciate any help.
Thanks & regards,
Replying to my own post... Okay, so I was being a bit harsh, but I'm
still surprised that the sender was trying to encrypt this data and yet
sent a copy of it to me.
/sits in cornder for ten minutes for flying off the handle.
That's OK. I usually fly off the handle quite frequently with my end users. They just don't get it some times ya know. [:D]
I think I have some intelligence that foreign governments might want to use against the United States in terms of biological warfare and threat analysis. Just to make sure they can't use it, I'll send it to them and ask for a response one way or the other.
Hum... lets be optimistic here...
Maybe, just maybe, the person is trying to encrypt some files to send
to [entity], and in lieu of his problem, he sent you examples of files
that had the same problem -- BUT NOT THE SAME FILES HE IS TRYING TO ENCRYPT -- just sample files, mind you.
Yeah, that's it... that's the ticket.
With an encrypted version of the file, and the plain text version, he's much further on the way to doing a brute force attack to discover the encryption key... Hey, remember distributed.net?
Quite possibly the requirement to encrypt the file came from the receiver and the sender couldn't care less. Been there.
Reminds me of an e-mail I saw...someone sent
out an e-mail to a large group of people in the company...it contained
a username and password. Someone brought it to the attention of the
security czar within the company. He does a reply all to the message
and adds 20 or 30 more people to the distribution list reiterating the
company's policy on not sending usernames and passwords in the same
e-mail and failure to comply could result in termination. The best part
is...wait for it...wait for it....he left the original message intact
in his reply (keep in mind 20 or 30 brand-new people now have the
username and password).
Of course me being the smart @ss I am, sent a reply back to him,
informing he was in violation of the company policy and he should
collect his final paycheck. I however, blanked out the username and
password in the original message. ;O)
After watching Jack Ass on MTV, my first thought was, how can we be the
same species that put a man on the moon?
Mmm, much like the "network gurus" at another office asking for peoples
network passwords at our office, to update software. I kindly replied
to them that I do not supply my username nor password, and that they
were free to log on to my machine as the domain administrator, should
the need arise.
I totally agree Mike. That's what the administrator account is for.
With an encrypted version of the file, and
the plain text version, he's much further on the way to doing a brute
force attack to discover the encryption key... Hey, remember
Actually plaintexts have nothing to do with brute force cracking. The
only good it would do would be to match it against the output, but
given the nature of the algorithms, it'd be trivial to do so without a
On the other hand this might be mildly useful for a differential attack
if you could convince him to send you another "test" message. (Most
differentials require hundreds or even millions of messages though.)
FYI, in case anyone was curious, I looked at the sample files he
emailed to me and pointed out to him that they both looked like valid
GPG output--one in ASCII format ("ASCII armored" in GPG lingo) and one
as a binary stream. I even got as far as determining the key ID of the
decryption key that was needed for both of them.
I pointed out that he probably shouldn't have sent me the plaintext,
but he didn't seem too concerned about it--the data must be rather
Anyway, he went off the RTFM and figure out what output options he
wanted and I haven't heard back from him, so I assume he's helped
I agree with the poster above who says that having the having one
cyphertext and matching plaintext doesn't really give you much help in
a brute force attack on GPG, but I imagine it's marginally better than
starting with only the cyphertext.
Brendan Kidwell wrote:
I agree with the poster above who says that having the having one cyphertext and matching plaintext doesn't really give you much help in a brute force attack on GPG, but I imagine it's marginally better than starting with only the cyphertext.
Wrong.[Brendan takes his foot out of his mouth.]
If you can break a public-key scheme given a number of plaintext/ciphertext pairs, you can also break it without them. Just choose your own plaintexts and encrypt them with the public key you have since it is _public_.
Duh! Gee, it's a good thing I'm not actually a security professional or anyhting. :^)