1998-03-02 - Re: Newbie pgp question

Header Data

From: Bill Stewart <bill.stewart@pobox.com>
To: Mike <cypherpunks@toad.com
Message Hash: 7b0fad4493d37dc58221511194cbffc5c416769fef496ad33925050f98a3e60c
Message ID: <3.0.5.32.19980302002230.0092c210@popd.ix.netcom.com>
Reply To: <34FA122A.74E4@mail.nevalink.ru>
UTC Datetime: 1998-03-02 08:26:08 UTC
Raw Date: Mon, 2 Mar 1998 00:26:08 -0800 (PST)

Raw message

From: Bill Stewart <bill.stewart@pobox.com>
Date: Mon, 2 Mar 1998 00:26:08 -0800 (PST)
To: Mike <cypherpunks@toad.com
Subject: Re: Newbie pgp question
In-Reply-To: <34FA122A.74E4@mail.nevalink.ru>
Message-ID: <3.0.5.32.19980302002230.0092c210@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 04:58 AM 3/2/98 +0300, Mike wrote:
>I need - well, it sounds funny - to crack PGP-encrypted text ;)
>I have secring.pgp but not the keyphrase - does it make things easier or not?
>I also have pgpcrack99.zip (DOS-version, zip means that I unzipped it
>for the 1st time :)  But I guess it will take megahours with big
>dictionary - and it will cover only single words, not sentences.
>Please, can somebody introduce me a little?

Remember how PGP works:
PGP picks a random session key, and encrypts it with the public key
of the recipient (using RSA or a Diffie-Hellman version),
and encrypts the message with the session key.
The recipient's private key is encrypted with the passphrase
for the private key and stored in secring.pgp.
When the recipient wants to decrypt the message, they type
their passphrase into PGP, which decrypts the private key
from the secring and uses it to decrypt the session key from the message,
and uses the session key to decrypt the message body.

The session key is long, and you won't crack it.
RSA depends on factoring big numbers, and if the user has a 512-bit
public key or a longer public key _you_ won't be able to crack it.
(The KGB might*, and a distributed internet crack might, but you won't.)
But the passphrase for decrypting the private key from the secring file
is picked by the user - some users use short stupid keys, and 
other users use long difficult keys, and short stupid keys can be cracked.
The user needs to protect their secring file, to prevent this attack,
but if you have their secring, you can try to crack it.

If this is your _own_ secring, and you can't remember your passphrase,
it's easier, because you probably know what words you use in passphrases,
so your dictionary can be short and the crack can be fast.
If you stole somebody else's secring, or somebody else store yours,
then you have to guess what kind of dictionary to use.

This only works for the recipient's secring - if you steal the sender's
secring, even if you crack their passphrase, it doesn't help,
because that's only used when somebody sends them messages,
or when they sign messages (and now you can forge them.)

*I assume you're not the KGB or Mafia, because then you would just
beat up the guy until he gives you the passphrase.
				Thanks! 
					Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639





Thread