At 04:58 AM 3/2/98 +0300, Mike wrote:
I need - well, it sounds funny - to crack PGP-encrypted text ;) I have secring.pgp but not the keyphrase - does it make things easier or not? I also have pgpcrack99.zip (DOS-version, zip means that I unzipped it for the 1st time :) But I guess it will take megahours with big dictionary - and it will cover only single words, not sentences. Please, can somebody introduce me a little?
Remember how PGP works: PGP picks a random session key, and encrypts it with the public key of the recipient (using RSA or a Diffie-Hellman version), and encrypts the message with the session key. The recipient's private key is encrypted with the passphrase for the private key and stored in secring.pgp. When the recipient wants to decrypt the message, they type their passphrase into PGP, which decrypts the private key from the secring and uses it to decrypt the session key from the message, and uses the session key to decrypt the message body. The session key is long, and you won't crack it. RSA depends on factoring big numbers, and if the user has a 512-bit public key or a longer public key _you_ won't be able to crack it. (The KGB might*, and a distributed internet crack might, but you won't.) But the passphrase for decrypting the private key from the secring file is picked by the user - some users use short stupid keys, and other users use long difficult keys, and short stupid keys can be cracked. The user needs to protect their secring file, to prevent this attack, but if you have their secring, you can try to crack it. If this is your _own_ secring, and you can't remember your passphrase, it's easier, because you probably know what words you use in passphrases, so your dictionary can be short and the crack can be fast. If you stole somebody else's secring, or somebody else store yours, then you have to guess what kind of dictionary to use. This only works for the recipient's secring - if you steal the sender's secring, even if you crack their passphrase, it doesn't help, because that's only used when somebody sends them messages, or when they sign messages (and now you can forge them.) *I assume you're not the KGB or Mafia, because then you would just beat up the guy until he gives you the passphrase. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639