1995-09-09 - Re: Scientology tries to break PGP - and fails? (fwd)

Header Data

From: kelso@netcom.com (Tom Rollins)
To: cypherpunks@toad.com
Message Hash: 74baad430efb7e037f7b31b586657a1143c173b0cf6e62c1820977ec367fad7e
Message ID: <199509091707.KAA15642@netcom17.netcom.com>
Reply To: N/A
UTC Datetime: 1995-09-09 17:10:55 UTC
Raw Date: Sat, 9 Sep 95 10:10:55 PDT

Raw message

From: kelso@netcom.com (Tom Rollins)
Date: Sat, 9 Sep 95 10:10:55 PDT
To: cypherpunks@toad.com
Subject: Re: Scientology tries to break PGP - and fails? (fwd)
Message-ID: <199509091707.KAA15642@netcom17.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


> >Tom Rollins writes:
> >>  If this is the file that the Co$ is trying to crack, then what the
> >>  is being asked for is a pass phrase that can be handed to the Co$
> >>  that will pass the PGP valid key check and still not decrypt the
> >>  data to anything usefull.
> >
> >Well, I don't have the PGP 'conventional' encryption format memorized, but  
> >there is probably a constant after the IV that is prepended to the data.  The  
> >constant is used to determine if the key is correct.  Since the conventional  
> >encryption runs in CFB mode and there is a full block of random IV at the  
> >beginning of the file, it is extremely unlikely that a key could be found  
> >that would properly decrypt only the first two blocks while leaving the rest  
> >unreadable...
> >
> >>  If Larry Wollersheim does have the valid key.  It would be a simpler
> >>  process to know what fake key to use and work it backwards through
> >>  the MD5 to arrive at an ascii string to produce the fake key.
> >
> >Not really.  Even if you could find an IDEA key that would produce the  
> >desired output it would be hard to find a passphrase that would produce that  
> >key when hashed.  One of the properties of one-way hash functions is that it  
> >is difficult to find a plaintext that produces a given hash.  Hence the term  
> >'one-way'....  Even if you did find a passphrase (which, if MD5 is strong,  
> >would require something like 2^64 operations), it would likely be long, have  
> >8-bit chars, and would be impossible to type in.  It would be tough to  
> >convince anyone that it was the real passphrase.
> >
> >
> >andrew
> >
> 
> 
> There was a hack to pgp ui published a while back that would allow
> someone decrypting a RSA encrypted file to print out the idea key.
> 
> Another feature of the hack allowed someone with the idea key to decrypt
> an RSA PGP encrypted file ignoring the RSA headers and using the IDEA
> key directly.
> 
> Using this software should allow the reciever of an RSA PGP encrypted
> file to allow someone else to decrypt it (by giving them the IDEA key)
> without exposing the secret key. The IV block check will  allow them to
> check that they are using the correct idea key.
> 

Looking at the source code showes that all that is needed to
pass the PGP key check is for the first two blocks to decode
in such a way that the last 2 bytes of the IV match the 2
check bytes before the actual message. Thus the first 6 bytes
of the IV and the last 6 bytes of the next block need not
match the actual message.

There was a bug in the older versions of PGP that set the
IV to a constant instead of a random value when encrypting
with the "-c" option.

I made a mistake thinking that knowledge of the correct
key would help in creating a fake key.





Thread