Testing the reality of breaking encryption

[JamesA]

Encryption technology is used to store data, of that we are all aware. For those of you out there that are tech savvy I pose a question.

When encrypting data the longer and more complex password is the best, this is fairly common knowledge. However, my question today is -- given the practical reality of most 'hackers' skills & resources, is basic encryption, using a basic key crackable?

Linked at the bottom of this post is a 1mb file, it's encrypted and it contains some data. The password is weak, this is the aim of the game -- attempt to crack the encryption and reveal the data inside of the encrypted file here, in this thread.

The idea of this exercise is to test the reality of encrypted technologies against a real life situation, do we really need 20 digit passcodes and can a personal computer break encryption?

Hopefully, we'll see!

Good luck.

http://rapidshare.com/files/203932781/T52

[Sparda]

To be able to decrypt an encrypted file, you need to know what algorithm it uses.

[JamesA]

It's using AES, i'll give you that.

[Sparda]

You also need to know what you are looking for when it's decrypted.

[JamesA]

That's up to you to decide for, if you do decide to partake in the exercise. Giving away too much information would defeat the point of the test. As an attacker coming accross data, there's a slim to none chance that you'd know what algorythms are being used and precisely what format the data takes.

[Sparda]

That's up to you to decide for, if you do decide to partake in the exercise. Giving away too much information would defeat the point of the test. As an attacker coming accross data, there's a slim to none chance that you'd know what algorythms are being used and precisely what format the data takes.

Not really. What are the common forms of encryption on the Internet? PGP/GPG, SSL, possibly encrypted archives.

PGP probably (becasue I don't know) has a way of verifying a successful decryption, even if it doesn't text is what you are looking for most likely.

SSL most likely does not (again, I don't know the fine details) have a way of verifying successful decryption, but html and images is what you are looking for. Find an image or some html and you figured out what the session key is.

Archives generally have a process of verifying the decryption was successful.

[loftrat]

That's up to you to decide for, if you do decide to partake in the exercise. Giving away too much information would defeat the point of the test. As an attacker coming accross data, there's a slim to none chance that you'd know what algorythms are being used and precisely what format the data takes.

If I come across encrypted data on a system the first thing I'm gonna do is work out what available encryption/decryption methods that system has. Little point in having it there if it can't be decrypted by the users.

Work out what's on the machine, then use that to decrypt the data.

[stingwray]

That's up to you to decide for, if you do decide to partake in the exercise. Giving away too much information would defeat the point of the test. As an attacker coming accross data, there's a slim to none chance that you'd know what algorythms are being used and precisely what format the data takes.

Actually you should give all the information away apart from the password. You asking to see if people will be able to crack the password, not find out how it is encrypted.

Information on the internet that is encrypted generally has what algorithm and other settings sent with it. This is so people who receive it know what to do with it. This is the case with SSL and other systems.

This also leads to why cryptography algorithms that are good have their source code available, otherwise you are relying on security through obscurity, which has little benefit.

The problem with your challenge is that the people with the ability to do it (knowledge and power available to them) will have better things to do with your time and aren't going to bother.

If your interested in brute force attacks on algorithms then there is plenty of research on the internet which you can read.

[dr0p]

That's up to you to decide for, if you do decide to partake in the exercise. Giving away too much information would defeat the point of the test. As an attacker coming accross data, there's a slim to none chance that you'd know what algorythms are being used and precisely what format the data takes.

Sorry, but that's absurd. For all we know it could just be an XOR encryption, but without knowing anything and just being given the file we would have to bruteforce of the forms of encryption we could think of because it's not like encryptions leave you a nice header in the file (wow that was a horrid runon sentence :x). If I were to stumble upon random data somewhere on the internet that was encrypted with no clue on where to go I'd just ignore it, no point in wasting my time for something that's probably not going to be interesting / of any use anyways.

[DingleBerries]

I would give it a try but i do not feel like rebuilding file hearders. Give me a rar/zip/ect and ill go for it but im not wasting cpu on this

[ax0n]

The only thing that can be proven here is INSECURITY. If a bunch of forum-dwellers break it, then you might need to consider using a stronger key. If we can't, however, it really doesn't mean anything.

1. I don't think that any of us are skilled cryptanalysts. That means that we could just lack the skill to pull it off.

2. None of us here are irresistibly motivated to crack your file. I mean, some people who are bored or really, really want to prove themselves might take a crack at it, but see #1. They might not be the most skilled of the people here, and they aren't nearly as motivated nor have the resources that a dedicated attacker (research team, corporate spy, or government agency) might have.

3. You can't hide secrets from the future with math.

[Limbo]

The problem about your exercise is that if we don't know what we are looking for in your file, we won't recognize the solution when we see it.

That's the old story about the answer 42. If you don't expect an answer you won't be abel to tell if it is the answer. (hard stuff, I hope someone understands)

I could just say: I found the solution, the key is 0 and the file contains a series of random numbers. Or if I decrypt it with the key "love" I get a series of ones and zeros, where the bits are the result on measunging a decay of some radioactive material and whenever a nucleus decays there's a 1 otherwise a 0.

You know what I mean?

If we're not looking for something specific we would find everything and nothing...

But if I'm searching for a English text in your data, then I can look out for some letters, vocals, consonants, and statistics of them.

[stingwray]

The problem about your exercise is that if we don't know what we are looking for in your file, we won't recognize the solution when we see it.

Actually that's the easy part, assuming the correct plain text is not random data (not very useful to send large quantities around encrypted) then its nearly trivial to realize when you have successfully decrypted the cipher text. Any data that contains information that conveys some kind of meaning has patterns in it.