question on decryption with missing passcode

Henry Hertz Hobbit hhhobbit at securemecca.net
Thu Apr 18 03:27:01 CEST 2013 

On 04/17/2013 11:39 PM, Henry Hertz Hobbit wrote:
> On 04/17/2013 09:05 PM, Beith, Linda wrote:
> 
>> Gpg: can't open 'rwu.dbdump_Nov2012.sql.gz.gpg'
>> Gpg: decrypt_message filed: file open error
> 
> Daniel Kahn Gillmor is correct on this being a file permissions
> problem or maybe an OS problem for a file of that large size.
> Like Daniel, I assume the first.
> 
> I assume from what you said that it is encrypted with a symmetric
> cipher rather than a public key.  You need to rule out something
> encrypted with public key in which case only you rather than you
> and the sender can decrypt which can be done with a symmetric
> cipher.
> 
> The best thing would be to make sure you have the same thing:
> 
> $ sha1sum -b rwu.dbdump_Nov2012.sql.gz.gpg
> 
> sha1sum may not be good enough for security but it is good enough
> for file permission and corruption problems and should give you
> the same sum on both your system and their system.  But the message
> looks more like like a file permissions problem and in that case
> even something as simple as sha1sum will also fail with a message
> like "Permission denied".  If you get that do a:
> 
> $ ls -l rwu.dbdump_Nov2012.sql.gz.gpg
> 
> That gives the permissions on the file.  Make sure you have
> read permissions (you are in the group specified for the
> file or read acccess is also given to Other).

Let us know when the problem is resolved (if it has not
been resolved already).  Having root access and typing
the following may need to be done:

# chmod 640 rwu.dbdump_Nov2012.sql.gz.gpg
# chmod 750

Also adding the user that is typing the commands to
the group for the files may be necessary and is actually
most likely what is wrong.

You may need to use 644 and 755 but I would NOT have
set it up that way.  Only the people in the group should
have access to the folder and files.  Name the group
as desired. They should have done all of this already.
No?  A school database that is THAT insecure?  Impossible!
Each client probably has a different group and the user
that is typing the commands that is NOT in that group will
have file permission problems.  That means you may have
no problems because you are in the group but they will
have problems if their user is not in your group or what
ever group they have put the file into.

More likely than not that will solve ALL of the problems
as long as you and they have write access to the folder
(dir) that the rwu.dbdump_Nov2012.sql.gz.gpg file is in.
Note that root does NOT do the decryption.  Only the user
authorized to do that does it.  But that user can NOT
change the permissions and ownership of the files if they
are not in the group.  The only user that can do that who
is not a member of the group is root.  But root cannot
even see the files in the /opt/swgroup if it is NFS mounted
and root is not in the swgroup group.

As a follow up, if the sha1sum command works and you have the
same check sum and sizes on both machines then we know you
have the same file and read access to it.  Well, I guess
somebody could hack the SHA1 check sum but that is esoteric
and unlikely.  Don't laugh.  I have malware with hacked
SHA1 sums.  It takes LOTS of computer power to do it.  They
used distributed power on the Internet that was supposed to
be used for scientific purposes to do it.  If you have
sha256sum and use it and the sizes and the SHA-256 sums
of both files are the same then you KNOW the files are the
same.

If you BOTH have read access to the file and write access
to the folder and you can decrypt it but they can't decrypt
it then it is very likely that they encrypted it using your
OpenPGP public-key.  In that case only the person that has
the secret key (you or who ever it is at rwu.edu that has
the secret key on their system) and knows the passcode
(more correctly, the pass-phrase) can decrypt the file.
Only the person / people that have the secret keys and
know the pass-phrase can decrypt the file.  Unfortunately
I have a system that set the pinentry to not require
the pass-phrase after I used it once to sign the block
list for Cookie-Safe (with no input from me other than
than my pass-phrase and an Enter).  That is a very
dangerous condition~ I have lots more white hairs. It
requests the pass-phrase now.

They could also use the same passcode (password) even with
symmetric ciphers with each client being assigned the same
password / passcode for ALL files.  It is less secure but
the reason why is multiple passwords for each client can
lead to confusion and data that is lost forever.  But in
that case BOTH of you should be able to decrypt the file.

If you are using Windows, this hash program can quickly
provide all the various hashes for a given file (there
are others but this is only one that has been there for
YEARS):

http://www.slavasoft.com/hashcalc/index.htm

Cross tested with the same check-sums on Linux
both yielding same results.

HHH

More information about the Gnupg-users mailing list