From: kelso@netcom.com (Tom Rollins)
To: cypherpunks@toad.com
Message Hash: 74baad430efb7e037f7b31b586657a1143c173b0cf6e62c1820977ec367fad7e
Message ID: <199509091707.KAA15642@netcom17.netcom.com>
Reply To: N/A
UTC Datetime: 1995-09-09 17:10:55 UTC
Raw Date: Sat, 9 Sep 95 10:10:55 PDT
From: kelso@netcom.com (Tom Rollins)
Date: Sat, 9 Sep 95 10:10:55 PDT
To: cypherpunks@toad.com
Subject: Re: Scientology tries to break PGP - and fails? (fwd)
Message-ID: <199509091707.KAA15642@netcom17.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
> >Tom Rollins writes:
> >> If this is the file that the Co$ is trying to crack, then what the
> >> is being asked for is a pass phrase that can be handed to the Co$
> >> that will pass the PGP valid key check and still not decrypt the
> >> data to anything usefull.
> >
> >Well, I don't have the PGP 'conventional' encryption format memorized, but
> >there is probably a constant after the IV that is prepended to the data. The
> >constant is used to determine if the key is correct. Since the conventional
> >encryption runs in CFB mode and there is a full block of random IV at the
> >beginning of the file, it is extremely unlikely that a key could be found
> >that would properly decrypt only the first two blocks while leaving the rest
> >unreadable...
> >
> >> If Larry Wollersheim does have the valid key. It would be a simpler
> >> process to know what fake key to use and work it backwards through
> >> the MD5 to arrive at an ascii string to produce the fake key.
> >
> >Not really. Even if you could find an IDEA key that would produce the
> >desired output it would be hard to find a passphrase that would produce that
> >key when hashed. One of the properties of one-way hash functions is that it
> >is difficult to find a plaintext that produces a given hash. Hence the term
> >'one-way'.... Even if you did find a passphrase (which, if MD5 is strong,
> >would require something like 2^64 operations), it would likely be long, have
> >8-bit chars, and would be impossible to type in. It would be tough to
> >convince anyone that it was the real passphrase.
> >
> >
> >andrew
> >
>
>
> There was a hack to pgp ui published a while back that would allow
> someone decrypting a RSA encrypted file to print out the idea key.
>
> Another feature of the hack allowed someone with the idea key to decrypt
> an RSA PGP encrypted file ignoring the RSA headers and using the IDEA
> key directly.
>
> Using this software should allow the reciever of an RSA PGP encrypted
> file to allow someone else to decrypt it (by giving them the IDEA key)
> without exposing the secret key. The IV block check will allow them to
> check that they are using the correct idea key.
>
Looking at the source code showes that all that is needed to
pass the PGP key check is for the first two blocks to decode
in such a way that the last 2 bytes of the IV match the 2
check bytes before the actual message. Thus the first 6 bytes
of the IV and the last 6 bytes of the next block need not
match the actual message.
There was a bug in the older versions of PGP that set the
IV to a constant instead of a random value when encrypting
with the "-c" option.
I made a mistake thinking that knowledge of the correct
key would help in creating a fake key.
Return to September 1995
Return to “kelso@netcom.com (Tom Rollins)”
1995-09-09 (Sat, 9 Sep 95 10:10:55 PDT) - Re: Scientology tries to break PGP - and fails? (fwd) - kelso@netcom.com (Tom Rollins)