Self Decrypting Archives

David Shaw dshaw@jabberwocky.com
Fri Jun 20 00:47:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jun 19, 2003 at 03:23:53PM -0700, vedaal@hush.com wrote:
> 
> 
> 
> >Message: 11
> >Date: Thu, 19 Jun 2003 16:58:07 -0400
> >From: David Shaw <dshaw@jabberwocky.com>
> >To: "'Gnupg-users@gnupg.org'" <Gnupg-users@gnupg.org>
> >Subject: Re: Self Decrypting Archives
> [...]
> >> If you really wanted to, you could even send your receiver a zip
> >file
> >> containing the "gpg" binary, plus the encrypted file, and a batch
> >file
> >> that contained something like "gpg theencryptedfile.gpg".  Poof:
> >> instant SDA.  Of course, it's still insecure ;)
> >
> >It works, and the end result is a SDA.
> [...]
> 
> just curious,
> 
> other than making a .exe file of what would otherwise be batch files,
> 
> what does the pgp sda do differently?
> 
> it seems as if it would need just a watered-down binary for symmetric
> decryption only

Yes.

> in your idea, wouldn't it also be possible to make a much smaller binary
> for the same symmetric decryption, and send it as a batch file, with
> the same instructions/caveats as for an sda,

Yes.

That's why I'm confused that what PGP creates is an "SDA", and a
self-extracting zip file containing gpg, an encrypted file, and an
autorun command to decrypt the file somehow isn't an "SDA".  All "SDA"
is is a "(S)elf (D)ecrypting (A)rchive".  There is no magic there.

> a practical way that sda's are done 'sort-of' securely, for multiple
> large files, is that they are all written as sda's onto a cdrw, sent
> by certified registered mail, and confirmed by phone by the receiver
> calling the sender upon receipt of the packet.

The problem is that there is no way to do it in a portable manner.
Linux executables won't run on Windows, Windows executables won't run
on FreeBSD, etc, etc.  It would be very easy for someone to make their
own SDAs by self-extracting-zipping together the encrypted file, and
the decryption engine, but that's not really the point of GnuPG.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE+8j2N4mZch0nhy8kRAjp7AJ0QCxILpcnwhXNTRFyndH+dUktHBQCdEHL4
Cgs972+IVlqi6L5sdCkKAmM=
=zVCJ
-----END PGP SIGNATURE-----