ctf-like WKD challenge (was: WKD proper behavior on fetch error)

Ángel angel at pgp.16bits.net
Thu Jan 21 00:23:52 CET 2021


On 2021-01-20 at 08:08 +0100, Stefan Claas via Gnupg-users wrote:
> On Wed, Jan 20, 2021 at 12:41 AM Ángel <angel at pgp.16bits.net> wrote:
> 
> > A list of all (well, most) openpgpkey subdomains can be easily
> > created.
> 
> Yes and I believe that what Neal and you (in your new posting) have
> explained makes it only worthwhile  for Mallory to start his work,
> because he has such an openpgpkey list created.

No, no, no. The idea of my previous mail, was *precisely* that there is
no point for Mallory to do that.

Counting wkd servers can be interesting for statistics, measuring
adoption, etc. but that would be of no use for an attacker.


Ok, let's frame it a bit different. I will give a game for you.

Last night, I prepared the domain wkdtest.pgp.16bits.net It is a valid
wkd server. I have just created and uploaded there a new pgp key, and
you have to obtain it:


«We have intercepted the following communication sent to an spy using
an undisclosed openpgp implementation. Based on the detected network
traffic, we are sure the key itself was downloaded using wkd, and the
domain of the userid to be ‘wkdtest.pgp.16bits.net’

Your mission, should you choose to accept it, is to find out the name
of the spy to which this communication was addressed:


-----BEGIN PGP MESSAGE-----

hQEMA80mh7+7fSYkAQf+PAyI1VWXZRST42basod3Rk7/44hi8nw+ARdmEy61esdJ
qIWQvz2qyPJsmS5if5xfUhwzmGI6itNC+wqIrNNo5AGt+qzkHHYZswuaintmk5IF
Wrh6xxHdiH1q2UMgl/SGhEQcPStUy1GdTUcx9wygjmSQwdgQhimezmdbhhoYQ13s
hlZ001IhiGkBse8V+qK0g7vhWCO5XTHwMLMr3I1twcRbow4RYtw1BGp4mco1llgm
BkRpAL+WFw/CFBp7W7Dn9Yz9wN5q7LDLlyO3sGmWex7IcxD2McHSYNR7roiPjwu8
5ke+MO7CM3VHmMyx1eCAXRJY7RwDvIYaZLJHbtai+owuBAkDAjJqwNFYeYiW6r/E
9KRfCCy/LsKDQW7rWCs0dLW1BM5xswAIk/SzaJDTMNJQAW6yb7Le32ao1MsEfx47
EAwlArtFZTWZvwiICcBHFPbJ8V6+mHRr4qjRKQFIE96zGCLQHnoZfUjhl+Hb5zPb
+L3PfKDvYARTEOJvj/4w2Tc=
=6hHu
-----END PGP MESSAGE-----»


Can you figure this out?






More information about the Gnupg-users mailing list