Recovery of PCSECURE files and bogus GnuPG algorithms

Joseph Bruni josephbruni@netscape.net
Thu Jun 20 05:10:01 2002


Based on what I read, Mr. Zimmerman doesn't seem to be rude or sour-graping about anything. He in fact stated that he wasn't so concerned about the container as with the algorithms.

I personally, would like to hear his objections about the algorithms, but that would probably take a white paper rather than a hastily typed email at 30,000 ft. I'm sure the information he is alluding to is available.

Joe






john clark <lurq_gnupg@yahoo.com> wrote:

>
>
>hi guys,
>
>the ff is a record of correspondence that took place
>between my friend and Mr. Zimmermann last June 10.
>
>My friend was asking PRZ some help about an old DOS
>encryption program he got problems with. 
>
>He encrypted the message to PRZ using gpg, but some of
>the gnupg options were altered, like tiger loaded,
>cipher-algo twofish digest-algo tiger192, etc...
>
>PRZ was unable to decrypt the message. The ff email
>messages follow this.
>
>=======================================================
>
>From: Philip Zimmermann <prz@mit.edu>
>To: "John Edward R. Mallen" <trauma@surgical.net> 
>Subject:  Re: Recovery of PCSECURE files and bogus
>GnuPG algorithms 
>Date:  Mon, 10 Jun 2002 10:35:17 +0200 
>
>
>Sorry, Jed, I have no experience with PCSECURE.  Never
>used it 
>or even seen it.
>You might have to hire a consultant to spend the time
>looking 
>into the matter.
>I could spend some time on it, but that would run you
>$2000/day.
>
>There are companies that specialize in this kind of
>data 
>recovery.  One is AccessData,
>which I presume might use accessdata.com as its web
>address.  I 
>can't check if that
>is the right URL now, because I'm on a plane high
>above Bangkok 
>at the moment.  I'll
>upload this email when I reach Perth.
>
>Changing the subject-- I'm curious how you generated
>the earlier 
>message to me,
>the one that had a bad session key due to using the
>wrong 
>algorithm in GnuPG.
>Exactly what GnuPG settings did you use to generate
>that 
>message?  You had to override
>my own public key's settings to generate that message
>with that 
>algorithm.  How did
>you do that?
>
>I noticed this time you left off the GnuPG version
>labels, which 
>are purely cosmetic.
>Were you worried that they would somehow offend me for
>not using 
>the real PGP?
>Believe me, it was not a question of what product you
>were 
>using.  It was a question
>of using a nonstandard algorithm within the product.
>
>Regards,
>Phil
>
>
>On Friday, June 7, 2002, at 04:12  PM, John Edward R.
>Mallen wrote:
>
>> ....
>>
>>   How can I go about this task?
>>   
>>   Thanks.
>>
>> - jed
>>
>>
>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>
>>
>mQGiBDko8IQRBADdu9tQ6Ok1dSByiX+NB6UrK4qk1PLrMSCq+5TnJ+JnBFpLS++3
>>
>LTDTrBNajowm/ImOkdvxrvlhMrZmZ20Tm1qJyLx0PjTSb962fxnBSLocmuC08YV5
>>
>gurFzb2a7ngcd/8owPbgYtVDFhCxeNnu+Zo6FC8GmsuycSS0lHXb8W7xFwCgzLcB
>>
>5DKPRtTe/peoB/hZardZauED/jKY/dS6In5PjtM5GegwjSHRgse1nAGUXL4HAdvz
>>
>/yCa5dg8KcBVNLTZ5jg+iIoagoRxIBD4hj7QQtgVPrB5gq5ymLjVcY06pxobl54C
>>
>btRHJLsMfZUvxIcdWChRo+C6RYkT8IpWsT++CqjcCWfYhNW1c2A31aEQfDt7H5WN
>>
>VmDtA/9oDzIfBh35SHgiOJbsxajHxuyo2RnEkku9NUXZ8D3oqU+svGhQGhksOkWw
>>
>S9w/1THdo3kshHg0bWMykkC/4R3INzk283o/JYIxG39BNxWcdrCvPbof9BYMjyh2
>>
>fkBCYDZN5/KEyr3x0vcxiXL950rLJgVWMpeV3TZ3tDPjNfVfJLQjSmVkIFIuIE1h
>>
>bGxlbiA8dHJhdW1hQHN1cmdpY2FsLm5ldD6IXAQTEQIAHAIeAQIXgAcLCQgHCgME
>>
>AxUDAgMWAQIFAjko8IYACgkQluOtB0iIhFjTIwCdGKqeySZA/Xr23EXYRn1NWrpg
>>
>05gAn2sdc06lAZrYLwlWmgozTDuaJojruQMNBDko9vgQDADKcCHxPqyVgF/LFkqT
>>
>hMQbL+PkO7az8KCYYKFO84LsTVZ8/N37YadXJSpsy0s86aTZ/ahNzoqLWIwInOrt
>>
>OFft7fbT9wmBvAUJB7tTinNNhMA96jSgIgJFrjXqqP0w7/JJYhsirAFmKh9Yp1mn
>>
>U+Yvoolxf1ioTesEXetUGie9l1PlgQuxu41av+EmoF2igiKxlmvZZQiJkX0/GaQ4
>>
>1CC5oqFbnDdAKD4pVZHOo1pBIMvvFudbFr2GZTEEQSZ2+mJ41ozJgAVjeiFNt1kj
>>
>v5lLROYbgE/NMqDZKyaiDjzza/gfvwIYeg4QlMxOPn8TWQdOutZ3V5DiKZ7XOLtx
>>
>4VpUCCT5zGPbrtU7p34sQfFNF4sDxd7c+mWtn3rJDieH/x7P+7WE2HgZ31hNPHeU
>>
>HWlPs/VJ84+CswB24s3Bj6Rbvuy9J4u3aNmm8Mi+qGf35f0rfjHYOZuC+lMGBIOp
>>
>bjkywncD99c6jAlP4FqKLHoSIZRqcKKF2jrI/CVin7MYbksAAwUL/inihvRKrbhC
>>
>q616GrKRndhj8H6bde4sjcVvJ/PWFxbgdupHP4oa8IVjXxjSBA0Y4i8gGcUIZviF
>>
>FWzJ+rS5hvqbA6lnpzGCBB9Z1K8fEN60Kk1LXOaq2SaYHKfW4+BV7brlnQZJifsX
>>
>z2TBoO+WeZ4eBY/C/wfq8E1Fbgqcst/zBdAJpujTzDutBDjd9TItMP9GuY1RrNEl
>>
>cMMjj/JCgYp0i+RvGMHnBx3ft8BMDQ1Oe4rb2Cm0nIDI2nVwsWKo0N8xt4hjoclR
>>
>6KnpTHeIBUKtX/WIrc+VbEYNfYJuzhvKrcPeQ8miobX7swufKP2zp7YQFKIDz5Tj
>>
>1wDkDXRp1CRVtuJgpTnhrWABdC3DZ2031+QXdTgDlJMa44TRpvAYvvdFavFZ/LyC
>>
>V6XPIaun02Kw4ng8DGprn6jbGnKHZa8RFXBHbP0izEYr9TolRVaNCI6pv+PIJYUY
>>
>MXa3FCjVluLfLI5WnMjRpMM6KXDwOYtza30vv1RsShfNPOtSgI4Bc4hGBBgRAgAG
>>
>BQI5KPb4AAoJEJbjrQdIiIRYH3EAoJKy28HpALXp+7Ts5k8lg3+JEpkxAJ9C3Bno
>> cKjsKsQZ5rn2cl5ZgmeJQQ==
>> =bFd0
>> -----END PGP PUBLIC KEY BLOCK-----
>>
>>
>
>Philip R Zimmermann        prz@mit.edu
>http://philzimmermann.com  tel +1 650 322-7377
>(spelled with 2 n's)       fax +1 650 322-7877
>
>
> 
>=================================
>
>my consequent lame reply...
>
>
>>> Sorry, Jed, I have no experience with PCSECURE. 
>Never used it
>>> or even seen it....
>>
>> Thank you sir, but I've decided to just learn 8086
>asm or 
>> anything that'll help me open this encrypted file. I
>don't 
>> really know how I'm supposed to go through with this
>but even 
>> if I can't be successful in this endeavor, there's
>no loss in 
>> learning something, right? Wish me luck :)
>>
>>> Changing the subject-- I'm curious how you
>generated the earlier
>>> message to me,
>>> the one that had a bad session key due to using the
>wrong
>>> algorithm in GnuPG.
>>> Exactly what GnuPG settings did you use to generate
>that
>>> message?  You had to override
>>> my own public key's settings to generate that
>message with that
>>> algorithm.  How did
>>> you do that?
>>
>> I'm currently using GnuPG 1.0.7.
>> My ~/.gnupg/options file at the time I encrypted
>that message 
>> has the ff settings:
>>
>> #--------------------
>> default-key jed
>> load-extension tiger
>> cipher-algo twofish
>> digest-algo tiger192
>> #--------------------
>>
>> Maybe it overrode your public-key algo preferences,
>although 
>> I'm not sure if it can do that. Probably not. For
>sure I cannot 
>> change your preferred algorithms because I don't
>have your 
>> secret key.
>>
>> Must be that I encrypted the message to your pubkey
>but it also 
>> encrypted it to my key because of the default-key
>preferences. 
>> But in this case you can still decypt the message,
>right? I 
>> tried decrypting the cipher text but I can't. stderr
>says I 
>> don't have your secret keys.
>>
>> BTW, my preferences for the key I used was I think,
>S10 S9 S8 
>> S7 S3 S4 S2 H2 H3 Z1 Z2
>> though I'm not really sure because I already changed
>it to have 
>> Rijndael256, Rijndael192, and Rijndael after reading
>on the AES 
>> contest some.
>>
>>
>>> I noticed this time you left off the GnuPG version
>labels, which
>>> are purely cosmetic.
>>> Were you worried that they would somehow offend me
>for not using
>>> the real PGP?
>>
>> A bit, yes. I emailed you sometime in 1998 about how
>great PGP 
>> was after using it for the first time. I asked you
>to send me 
>> an encrypted email. You said you were busy but you
>still 
>> replied which was a big thing for me. Someone who I
>hold in 
>> high regard (like a rockstar of some sort) sends me
>email. I 
>> was so naive at that time. I don't know if you still
>remember 
>> that. Probably not.
>>
>> I still use PGP 6.5.8 on my other linux box. I just
>like to 
>> play with GnuPG because it gives me more room to
>fool around 
>> with crypto.
>>
>>> Believe me, it was not a question of what product
>you were
>>> using.  It was a question
>>> of using a nonstandard algorithm within the
>product.
>>
>> I'm confused by this. By standard do you mean
>OpenPGP or just PGP?
>>
>> Can I ask you some more questions?
>>
>> Do you keep in touch with the GnuPG people?
>>
>> If Twofish or some other cipher algorithm is not
>used in PGP, 
>> does it mean that you think this algorithm is weak?
>>
>> Or just that it is not designed as well as AES but
>is still 
>> secure in itself?
>>
>> THANK YOU SO MUCH Mr. Zimmermann. You don't know how
>much it 
>> means to me to correspond with you. Thank you for
>not having a 
>> large ego and being so down to earth.
>>
>> - Jed
>>
>>
>>
>> --
>
>
>=======================================================================
>and his answer....
>
>From: Philip Zimmermann <prz@mit.edu>
>To: "John Edward R. Mallen" <trauma@surgical.net> 
>Cc:   
>Subject:  Re: Recovery of PCSECURE files and bogus
>GnuPG algorithms 
>Date:  Tue, 18 Jun 2002 23:14:44 +0800 
>
>
>I am paying $10/minute to type this reply from Tokyo,
>so I don't 
>have time to tutor you from my hotel room.
>
>Just follow my advice without exp[lanation:  Eliminate
>all 
>algorithms from your preferences that are not
>supported by the 
>real PGP.
>
>Eliminate any hashes except SHA1, no other hashes. 
>Also 
>eliminate Elgamal signatures (but leave el gamal
>encrytion).
>Eliminate Blowfish.  Eliminate TIGER stuff.
>
>I can't spend another $30 to explain why.  Just do it,
>if you 
>value expert advice.
>
>------------------------------------------------------
>Philip R Zimmermann        prz@mit.edu
>http://philzimmermann.com  tel +1 650 322-7377
>(spelled with 2 n's)       fax +1 650 322-7877
>
>
>=========================
>
>Would it be advisable for my friend to follow PRZ's
>advice and just use the PGP algorithms? What if my
>friend wants twofish more? Then people like PRZ won't
>be able to read his email right?
>
>What do you guys think? I think PRZ should get down
>from his high horse and stop sour-graping about GnuPG.
>
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>http://fifaworldcup.yahoo.com
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/