|Home The Net Comics Links Stories Buy Stuff|
1995 Fools: PGP/IDEA -Cracked!-
From: firstname.lastname@example.org (Mark Beeson) Newsgroups: alt.2600,alt.security.pgp,alt.religion.kibology Subject: PGP/IDEA -Cracked!- Date: 1 Apr 1995 08:36:03 GMT Organization: [ Neural InterNetworking ] Message-ID: <email@example.com> --NOTE FROM SENDER (Mark)-- This may be a coverup. IDEA/PGP makers may completely deny this. But it's true. PGP and IDEA encryption can be cracked using a very simple algorithm. This is a press release I stumbled upon on a site that shall be unnamed (for security reasons -- if I divulged it I could be arrested). Read on. --END NOTE, BEGIN INCLUDED MESSAGE-- From : << DELETED FOR SECURITY REASONS >> To : << DELETED FOR SECURITY REASONS >> Date : Sat Apr 1 00:05:07 EST 1995 Subj : PGP ENCRYPTION INSECURE -- CRACK IDEA USING SIMPLE ALGORITHM. Gentlemen, It has come to my knowledge that PGP/IDEA can be cracked, and easily. This alarming data should not, at all costs, be released to the public, and should only be forwarded to << DELETED FOR SECURITY REASONS >>. The concept behind breaking the encryption is simple. The security hole that was found is this: The originating person's private keyphrase can be found _inside_ the actual PGP message. Yes, that is alarming, isn't it? The algorithm to pick out the private keyphrase is even more alarming, and very simple. Here's the base equation: ( HEX VALUE OF FIRST CHARACTERS / NUMBER OF CHARACTERS ) ^ X where X increases by one for every character found in the private keyphrase. Instructions for using this equation: - Translate all the characters in the first row of the encrypted message to hexadecimal values, and take the sum total of those. - Count the number of characters in the encrypted message and divide the sum total of the hex values by this number. - Letters of the private keyphrase can be found at (ThisTotal) ^ X, where X increases after finding each letter. Therefore the first letter can be found at (ThisTotal) ^ 1, or (ThisTotal). The second letter can be found at (ThisTotal) ^ 2, and so on. As an example, take this message. You will find that you can easily decrypt it using this algorithm. -----BEGIN PGP MESSAGE----- Version: 2.6.2 owFtkMFOg0AQhuvBCwnv8MulmgiEprGU1CogVI1tGhMfYC2DSwq7m2Ur8aV8RqHV m9/tn5l8M5nv0ejs2Zwzpat61PPIlPpCPETkUtbj9sK2bMt1bQtYM71HQtRKgct1 EszCK/zHVlNbFSTMNTZ0APriL/Fo0L5!qfeV+Bhkx8HVFmWfSfcLhYkwnSDNEcwx iRHMkKcIp4hDIH5AeIMgRpgNpWSOIEOa/ImOONknCaxkgU6KscGOs14NwwmKtcZz ANdFKg+6JcgSWaMqTSfF2+tLhAUD11TeOtwYFfl+13WeNoW3k43PzXsl/NOxd03/ iPvfjrPkpGnhs6VnWz8= =vp3z -----END PGP MESSAGE----- The exercise is left to the reader. More details will follow as data is researched. Currently the team of << DELETED FOR SECURITY REASONS >> is working on a version of this for binary files. It is assumed that there should be no difference between binaries and ASCII-armored text, only that the binary files need to be accessed by a simple C program that will read binary data instead of ASCII data. Yes, gentlemen, this is alarming, but if the general public does not get ahold of this information, perhaps we can use this to our advantage. I'm sure you remember Clipper -- maybe if these new PGP/ IDEA developments are kept confidential, we will be able to read the public's encrypted data after all. Cordially, <<DELETED FOR SECURITY REASONS >> E-Mail: << DELETED FOR SECURITY REASONS >> --END INCLUDED MESSAGE-- I can only assume that PGP and IDEA are insecure, folks. *sigh* This is pretty depressing news. --Mark firstname.lastname@example.org -- Mark Beeson (MB178) President, Neural InterNetworking PGP fingerprint: 42 CF 19 2A 17 FC 84 A8 AD 86 1A 8E 84 B9 1E CB "Even God won't change the past." -- Course of Empire URL: here.