Enclosed is PIN you can use to open the front door via the keypad.



  • A few years ago, I wrote a nice newbie's guide to GNU Privacy Guard, a
    free public key cryptosystem. (Google for mirrors if you want it--my
    web site has been down since January.) :^)



    Anyway, I've gotten some interesting feedback over the years, but this one that I got today really takes the cake.



    Suggestions for how to respond, anyone?


    Brendan,

    I am using GnuPG for encrypting text files to send to [entity].

    Attached are two encrypted versions of the same file: one was done on April 25th, and the other was done today. As you can see, the one done today is not a valid encrypted file.

    I have also included the original clear text file.

    Do you have any suggestions as to why this is occurring? I would very much appreciate any help.

    Thanks & regards,

    [name]



  • Replying to my own post... Okay, so I was being a bit harsh, but I'm
    still surprised that the sender was trying to encrypt this data and yet
    sent a copy of it to me.



    /sits in cornder for ten minutes for flying off the handle.



  • That's OK.  I usually fly off the handle quite frequently with my end users.  They just don't get it some times ya know. [:D]



  • I think I have some intelligence that foreign governments might want to use against the United States in terms of biological warfare and threat analysis. Just to make sure they can't use it, I'll send it to them and ask for a response one way or the other.



  • Hum... lets be optimistic here...



    Maybe, just maybe, the person is trying to encrypt some files to send
    to [entity], and in lieu of his problem, he sent you examples of files
    that had the same problem -- BUT NOT THE SAME FILES HE IS TRYING TO ENCRYPT -- just sample files, mind you.



    Yeah, that's it... that's the ticket. 🙂



        dZ.



  • With an encrypted version of the file, and the plain text version, he's much further on the way to doing a brute force attack to discover the encryption key... Hey, remember distributed.net?



  • Quite possibly the requirement to encrypt the file came from the receiver and the sender couldn't care less. Been there.



  • @strongarm said:
    Reminds me of an e-mail I saw...someone sent
    out an e-mail to a large group of people in the company...it contained
    a username and password. Someone brought it to the attention of the
    security czar within the company. He does a reply all to the message
    and adds 20 or 30 more people to the distribution list reiterating the
    company's policy on not sending usernames and passwords in the same
    e-mail and failure to comply could result in termination. The best part
    is...wait for it...wait for it....he left the original message intact
    in his reply (keep in mind 20 or 30 brand-new people now have the
    username and password).
    Of course me being the smart @ss I am, sent a reply back to him,
    informing he was in violation of the company policy and he should
    collect his final paycheck. I however, blanked out the username and
    password in the original message. ;O)

    After watching Jack Ass on MTV, my first thought was, how can we be the
    same species that put a man on the moon?



    Mmm, much like the "network gurus" at another office asking for peoples
    network passwords at our office, to update software. I kindly replied
    to them that I do not supply my username nor password, and that they
    were free to log on to my machine as the domain administrator, should
    the need arise.



  • I totally agree Mike. That's what the administrator account is for.

    Drak



  • @IDisposable said:

    With an encrypted version of the file, and
    the plain text version, he's much further on the way to doing a brute
    force attack to discover the encryption key... Hey, remember
    distributed.net?


    Actually plaintexts have nothing to do with brute force cracking. The
    only good it would do would be to match it against the output, but
    given the nature of the algorithms, it'd be trivial to do so without a
    plaintext.



    On the other hand this might be mildly useful for a differential attack
    if you could convince him to send you another "test" message. (Most
    differentials require hundreds or even millions of messages though.)



  • follow up

    FYI, in case anyone was curious, I looked at the sample files he
    emailed to me and pointed out to him that they both looked like valid
    GPG output--one in ASCII format ("ASCII armored" in GPG lingo) and one
    as a binary stream. I even got as far as determining the key ID of the
    decryption key that was needed for both of them.



    I pointed out that he probably shouldn't have sent me the plaintext,
    but he didn't seem too concerned about it--the data must be rather
    innocuous.



    Anyway, he went off the RTFM and figure out what output options he
    wanted and I haven't heard back from him, so I assume he's helped
    himself.



    I agree with the poster above who says that having the having one
    cyphertext and matching plaintext doesn't really give you much help in
    a brute force attack on GPG, but I imagine it's marginally better than
    starting with only the cyphertext.




  • Brendan Kidwell wrote:



    I agree with the poster above who says that having the having one cyphertext and matching plaintext doesn't really give you much help in a brute force attack on GPG, but I imagine it's marginally better than starting with only the cyphertext.

    divVerent wrote:

    Wrong.

    If you can break a public-key scheme given a number of plaintext/ciphertext pairs, you can also break it without them. Just choose your own plaintexts and encrypt them with the public key you have since it is _public_.

    [Brendan takes his foot out of his mouth.]

    Duh! Gee, it's a good thing I'm not actually a security professional or anyhting. :^)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.