Mailing List Archive: GnuPG: users

Is it possible to decide what is a gpg file?

Index | Next | Previous | View Threaded

melikamp at melikamp

Nov 17, 2009, 7:52 AM

Post #1 of 19 (2050 views)
Permalink

Is it possible to decide what is a gpg file?

Hi everyone!

Sorry if you get two of these, I screwed up while subscribing
to the list.

I have a question relating to the symmetric encryption. If I do

gpg -c foo-file

and enter a passphrase, I get an encrypted foo-file.gpg.
Is there a way to tell that it is an encrypted file just by
looking at the contents? I mean, is there a reliable way to
tell that something is _not_ an encrypted file?

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dave.smith at st

Nov 17, 2009, 8:28 AM

Post #2 of 19 (1996 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

On Tue, Nov 17, 2009 at 10:52:29AM -0500, Melikamp The Medley wrote:
> Sorry if you get two of these, I screwed up while subscribing
> to the list.
>
> I have a question relating to the symmetric encryption. If I do
>
> gpg -c foo-file
>
> and enter a passphrase, I get an encrypted foo-file.gpg.
> Is there a way to tell that it is an encrypted file just by
> looking at the contents? I mean, is there a reliable way to
> tell that something is _not_ an encrypted file?

Depends on what you mean by "reliable"...

I'm sure if you read RFC-4880, you could work out a byte pattern that
would give a very good indication, for most practical purposes.

However, it would probably be possible for someone to generate a file
artificially in a deliberate attempt to fool the filetype detection
mechanism. So, it's not "reliable" because it can be fooled
intentionally, but for most likely scenarii (i.e. where people aren't
deliberately trying to fool it), it would work.

If you're running on UNIX (particularly Linux), look at 'man file'.

--
David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963
STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724
1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2
Almondsbury | Work Email: Dave.Smith [at] st
BRISTOL, BS32 4SQ | Home Email: David.Smith [at] ds-electronics

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

timo.lindfors at iki

Nov 17, 2009, 9:04 AM

Post #3 of 19 (1996 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

Melikamp The Medley <melikamp [at] melikamp> writes:
> and enter a passphrase, I get an encrypted foo-file.gpg.

gpg seems to be able to determine the cipher used:

$ gpg foo-file.gpg
gpg: CAST5 encrypted data

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

melikamp at melikamp

Nov 17, 2009, 9:38 AM

Post #4 of 19 (1996 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

Thanks for your answers, David, Timo.

A somewhat related question: is there a tool that is designed
to produce "undetectable" encryption, i.e. something that is
very plausibly random? I gather from your answers that gpg does
not do that.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mariocastelancastro at gmail

Nov 17, 2009, 12:54 PM

Post #5 of 19 (1999 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

November 17th for David SMITH <dave.smith [at] st>

Linux do not have a file command, that belogs to the rest of the OS.

Linux is only a kernel than is commonly used with the GNU Operating
System, but the name for that system is GNU or GNU/Linux.

In advance thanks by your understanding.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksDDTEACgkQZ4DA0TLic4h7rQCePxYym6G2KLhhdiNxCZR3U17S
7YUAnA88xhLNkHO/LsTXLBWsR6Ed9+s2
=Wzjs
-----END PGP SIGNATURE-----

2009/11/17 David SMITH <dave.smith [at] st>:
> On Tue, Nov 17, 2009 at 10:52:29AM -0500, Melikamp The Medley wrote:
>> Sorry if you get two of these, I screwed up while subscribing
>> to the list.
>>
>> I have a question relating to the symmetric encryption. If I do
>>
>> gpg -c foo-file
>>
>> and enter a passphrase, I get an encrypted foo-file.gpg.
>> Is there a way to tell that it is an encrypted file just by
>> looking at the contents? I mean, is there a reliable way to
>> tell that something is _not_ an encrypted file?
>
> Depends on what you mean by "reliable"...
>
> I'm sure if you read RFC-4880, you could work out a byte pattern that
> would give a very good indication, for most practical purposes.
>
> However, it would probably be possible for someone to generate a file
> artificially in a deliberate attempt to fool the filetype detection
> mechanism. �So, it's not "reliable" because it can be fooled
> intentionally, but for most likely scenarii (i.e. where people aren't
> deliberately trying to fool it), it would work.
>
> If you're running on UNIX (particularly Linux), look at 'man file'.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

Nov 17, 2009, 1:20 PM

Post #6 of 19 (1997 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

Melikamp The Medley wrote:
> I mean, is there a reliable way to tell that something is _not_ an
> encrypted file?

If you mean, "a reliable way to tell that something is not an
OpenPGP-encrypted file," then yes: check the OpenPGP header at the
beginning of the message.

If you mean, "a reliable way to tell that something is not an encrypted
file, period," then no, not really.

There are a lot of qualifiers on the "no, not really." A lot of Ph.D.
theses have been written on this subject: it ties into some really deep
areas of theoretical computer science. If you want to learn more about
the qualifiers, I'd suggest reading up on algorithmic randomness and
Kolmogorov-Chaitin complexity. It won't be easy reading, but speaking
personally, I find this stuff fascinating.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dshaw at jabberwocky

Nov 17, 2009, 2:39 PM

Post #7 of 19 (1993 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

On Nov 17, 2009, at 3:54 PM, Mario Castel�n Castro wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> November 17th for David SMITH <dave.smith [at] st>
>
> Linux do not have a file command, that belogs to the rest of the OS.
>
> Linux is only a kernel than is commonly used with the GNU Operating
> System, but the name for that system is GNU or GNU/Linux.

Please stop doing this. Some people call it "GNU/Linux". Some people
(the vast majority, at least in the US) call nearly any machine
running a Linux kernel "Linux". Some people genuinely don't care.
The important thing here is that it's not particularly relevant to the
discussion of GnuPG.

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dshaw at jabberwocky

Nov 17, 2009, 2:50 PM

Post #8 of 19 (1993 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

On Nov 17, 2009, at 12:38 PM, Melikamp T. Medley wrote:

> Thanks for your answers, David, Timo.
>
> A somewhat related question: is there a tool that is designed
> to produce "undetectable" encryption, i.e. something that is
> very plausibly random? I gather from your answers that gpg does
> not do that.

That is correct, GPG does not do that. In theory, you could transform
GPG output in such a way to make it (plausibly) appear random. The
difficulty in practice is that my plausible and someone else's
plausible may not match up - and you also would need a plausible
reason why you chose to hang on to a bunch of large "random" files on
your machine ;)

If you did some OpenPGP packet manipulation, you could probably do
fairly well here... but you'd have to do some work on the receiving
side to re-create a valid OpenPGP message so GPG could decrypt it.

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dougb at dougbarton

Nov 17, 2009, 4:04 PM

Post #9 of 19 (1995 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

Timo Juhani Lindfors wrote:
> Melikamp The Medley <melikamp [at] melikamp> writes:
>> and enter a passphrase, I get an encrypted foo-file.gpg.
>
> gpg seems to be able to determine the cipher used:
>
> $ gpg foo-file.gpg
> gpg: CAST5 encrypted data

When I try this with gpg2 I get the following:

gpg2 bunsen_honeydew.jpg.gpg
gpg: error reading key: No public key

I get the same result with a file encrypted to a public key (as this
one was) and with a symmetrically encrypted file.

Am I doing something wrong here?

Doug

--

Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

melikamp at melikamp

Nov 17, 2009, 5:06 PM

Post #10 of 19 (1991 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

Thank you, Robert.

OK so I looked it up and I think what I want is called "deniable encryption".
I was just hoping that people here would recommend some FOSS tool to
deniably encrypt individual files. If there is no such tool, I am just going to
write one.

The rest of this message describes the kind of "deniable encryption"
that I want. The tool should meet these practical goals:

(0) FOSS license
(1) Can encrypt individual files
(3) Can add salt (like a passphrase)
(2) Deniable encryption:
Given a file A with random data and a ciphertext B (cleartext is unknown),
it should be impossible to guess which is which more than half the time.
(3) Deniability is robust:
Given a file A with random data and a ciphertext B (cleartext is *known*),
it should be infeasible to prove with certainty much above 0.5 that
B is the ciphertext. This implies that obtaining the passphrase is
impractical and actually feels like a much stronger property.

I know a bit about information theory, and it seems to me that there is
at least one elementary way to encrypt a file in a way that is "undetectable".

One can xor the cleartext by a large pad. Decrypting requires the
same pad: anything else will produce garbage. Almost every ciphertext
looks like random data. The downside is that (partially) knowing the
cleartext would allow to reconstruct the pad, and hence other
ciphertext constructed with the same pad would be compromised.

A more advanced way to achieve the same goal is to take a passphrase
and to use it to construct a ciphertext. The hardest part, as far as I
understand, is in showing that it is infeasible to reconstruct the
passphrase, even when one has cleartext-ciphertext pairs, and that is
where the math becomes very useful.

But enough of me rambling. Thank you all in advance :)

> There are a lot of qualifiers on the "no, not really." A lot of Ph.D.
> theses have been written on this subject: it ties into some really deep
> areas of theoretical computer science. If you want to learn more about
> the qualifiers, I'd suggest reading up on algorithmic randomness and
> Kolmogorov-Chaitin complexity. It won't be easy reading, but speaking
> personally, I find this stuff fascinating.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

Nov 17, 2009, 5:53 PM

Post #11 of 19 (1992 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

Melikamp T. Medley wrote:
> OK so I looked it up and I think what I want is called "deniable
> encryption".

What you've described here isn't deniable encryption, not as I know it
to be. This shouldn't be too surprising, given there are tons of things
I don't know about. :)

> (3) Can add salt (like a passphrase)

Salting is something that's done to hash functions. Are you sure you
mean that you want to add salt to a cipher?

> (2) Deniable encryption: Given a file A with random data and a
> ciphertext B (cleartext is unknown), it should be impossible to guess
> which is which more than half the time.

This will be supported by effectively any modern cipher, especially for
small files. If you can distinguish ciphertext from random noise,
that's usually considered to be a strong sign the cipher is weak.

(Note that I'm talking about modern symmetric ciphers. Asymmetric
ciphers may very well be distinguishable. I *think* they are, but I
can't summon up a reference now for the life of me -- take this as
unsubstantiated speculation.)

> (3) Deniability is robust: Given a file A with random data and a
> ciphertext B (cleartext is *known*), it should be infeasible to prove
> with certainty much above 0.5 that B is the ciphertext. This implies
> that obtaining the passphrase is impractical and actually feels like
> a much stronger property.

See above remarks: this is a fairly basic test for symmetric ciphers.

Note that I'm talking only about pure cipher algorithms. Once you add
headers, magic numbers and so on -- all of which OpenPGP does, as will
many other crypto applications -- then both #s 2 and 3 fail.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mariocastelancastro at gmail

Nov 17, 2009, 6:39 PM

Post #12 of 19 (1991 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

November 17th 2009 for gnupg-users [at] gnupg

Hi, I suggest to search for steganography, the cience/art of hidding
messages.

I never used a program than do steganography but search for one, there
must be a lot of free (as in freedom) ones. LSB steganography is very
easy to implement.

Remeber than a lot of (Wath appears to be) random data is
incriminatory and you will be forced to say the cipher and key
used. Depending of the
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksDXe8ACgkQZ4DA0TLic4gBagCgh8QaOzqX5kpbJtNznIiFD6AL
mVwAmgLQprgxQaC/fYNWB7BlfM4tyt/L
=XjGI
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal at hush

Nov 19, 2009, 7:26 AM

Post #13 of 19 (1961 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

There is no way (yet, ;-) ), to do what you want in gnupg, as a
gnupg encrypted file will show that it was encrypted either
symmetrically or to a key.

But, if you don't mind XOR-ing with a large pad, and you have a
secure place to keep the pad, (not on the computer with the
encrypted files),
you can do something like the following:

[1] Encrypt whatever file you want using gnupg, and the options of
--throw-keyids --armor

This will produce a ciphertext output of the encrypted file, with
no information about the key it was encrypted to, except for the
type (dh, rsa) and the size.

[2] Find, or write, a document equal to or greater, than the size
of the file in [1], and save it on your computer, and do not save
the file in [1].

[3] Construct a pad that XOR's from the file in [2] to the file in
[1].

[4] Save the pad securely somewhere else.

[5] If the pad is discovered, people will expect to use it to apply
to a ciphertext and recover a plaintext, not the other way around,
and you have no ciphertexts on your computer, and even if it were
used correctly to recover the ciphertext, the plaintext still
cannot be recovered without the key and passphrase.

BUT,

Only you know what your threat model is.

This will probably not be a good idea to use if your threat model
includes dangerous determined adversaries who know the field.

vedaal

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mearns.b at gmail

Nov 19, 2009, 8:03 AM

Post #14 of 19 (1960 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

Sorry, sent to author instead of list again. Message below.

On Thu, Nov 19, 2009 at 11:02 AM, Brian Mearns <mearns.b [at] gmail> wrote:
> On Thu, Nov 19, 2009 at 10:26 AM, �<vedaal [at] hush> wrote:
>> There is no way (yet, ;-) ), to do what you want in gnupg, as a
>> gnupg encrypted file will show that it was encrypted either
>> symmetrically or to a key.
>>
>> But, if you don't mind XOR-ing with a large pad, and you have a
>> secure place to keep the pad, (not on the computer with the
>> encrypted files),
>> you can do something like the following:
>>
>> [1] Encrypt whatever file you want using gnupg, and the options of
>> --throw-keyids �--armor
>>
>> This will produce a ciphertext output of the encrypted file, with
>> no information about the key it was encrypted to, except for the
>> type (dh, rsa) and the size.
>>
>> [2] Find, or write, a document equal to or greater, than the size
>> of the file in [1], and save it on your computer, and do not save
>> the file in [1].
>>
>> [3] Construct a pad that XOR's from the file in [2] to the file in
>> [1].
>>
>> [4] Save the pad securely somewhere else.
>>
>> [5] If the pad is discovered, people will expect to use it to apply
>> to a ciphertext and recover a plaintext, not the other way around,
>> and you have no ciphertexts on your computer, and even if it were
>> used correctly to recover the ciphertext, the plaintext still
>> cannot be recovered without the key and passphrase.
>>
>> BUT,
>>
>> Only you know what your threat model is.
>>
>> This will probably not be a good idea to use if your threat model
>> includes dangerous determined adversaries who know the field.
>>
>>
>> vedaal
> [snip]
>
> I think you're very much over-complicating things. If you're going to
> go through all the trouble of creating a pad of equal length to your
> message, then just make it an OTP, XOR it with your message, and
> you're done. No need for gpg at all in that case, and no need for a
> cover document.
>
> If he wants to hide the fact that he has an encrypted document, that's
> a completely different matter and calls for steganography.
>
> -Brian
>
>
>
>
> --
> Feel free to contact me using PGP Encryption:
> Key Id: 0x3AA70848
> Available from: http://keys.gnupg.net
>

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal at hush

Nov 19, 2009, 3:40 PM

Post #15 of 19 (1956 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

On Thu, 19 Nov 2009 11:02:35 -0500 Brian Mearns
<mearns.b [at] gmail> wrote:

>If he wants to hide the fact that he has an encrypted document,
>that's a completely different matter and calls for steganography.

That's what i thought that he wanted.

Unfortunately, steganography is very difficult to achieve. ;-((

Unlike cryptography, where the standard is that the encryption is
secure, even when the algorithm is known and well studied, no such
progress has been achieved (afaik) in steganography.

Stego relies mainly on creative obscurity. The Holy Grail of a zero-
distortion stego carrier has not yet been found. The standard stego
carriers (image files, audio, video files) have been well analyzed,
and there is still detectable distortion in a carrier stego file
when compared to a normal file of the same size and filetype.

Gnupg presents a great opportunity for use of text as a non-
detectable
distortion carrier in the advancement of steganography.

Extending the example i gave above, it can be tweaked to provide
increased levels of deniability that approach acceptable levels of
crypto security.
(i.e.
it should be just as difficult to prove that a file is
steganographically hidden, as it would be to crack a 256 bit
symmetric encryption algorithm.)

[1] Assuming a gnupg encrypted ciphertext of size 'k', and that
there
are more than 95 ordinary files greater than size 'k' on the
computer that plausibly belong there.
(for a concrete example that's easier to follow, assume the
ciphertext has 400 lines)

[2] Pick any 40 such ordinary files of this size
(and remember them ;-)) )

[3] Armor them using the --enarmor command to produce an armored
text representation of the file.

[4] Select 10 lines from each of the 40 gpg enarmored files, and
concatenate them to a 400 line text

[5] Make a pad to XOR from the text in [4], to the desired
ciphertext.

[6] Save the pad securely somewhere else.

[7] Even if the pad is recovered, it cannot reasonably be proved
that it XOR's to anything on the computer that would produce a
ciphertext

n.b.
This is just a rough draft of a consideration ;-)

What needs to be taken into account, is which parts of the gnupg
ciphertext act as a 'plaintext' in showing that an encrypted file
is present, and how to effectively increase the stego 'carrier
space', to hide those lines.

Anyway,
it might be an interesting area of steganography exploration ;-)

vedaal

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

Nov 19, 2009, 6:28 PM

Post #16 of 19 (1953 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

vedaal [at] hush wrote:
> Unlike cryptography, where the standard is that the encryption is
> secure, even when the algorithm is known and well studied, no such
> progress has been achieved (afaik) in steganography.

Pierre Moulin's got a whole sheaf of really good steganography papers,
and yet most people I've met who advocate steganography have no idea who
he is. This is kind of like meeting someone who says they're designing
a cryptosystem, and they've never heard of Claude Shannon or read any of
his papers.

Speaking generally, most people who develop cryptosystems don't bother
to read the crypto literature, and most people who develop
steganosystems don't bother to read the stegano literature. Kind of
sad, really.

(Please do not misconstrue my remarks as applying to either the OpenPGP
authors or the GnuPG developers.)

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mariocastelancastro at gmail

Nov 19, 2009, 6:36 PM

Post #17 of 19 (1954 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

November 19th 2009 for gnupg-users [at] gnupg

IMO steganography should be mixed with cryptography to be secure.

As example: LSB in pictures (Unless you have a professional camera)
will be random (High entropy and no predecible). You can replace it
with ciphertext (Undistinguible from random noise) and no one will
note the difference.

Of course if instead of replace the LSB with direct ciphertext you put
an GPG encrypted file the magic numbers will prove than there is an
encripted message. It can't be decoded w/o the key but you can be
forced to give the key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksF/1IACgkQZ4DA0TLic4gcdwCeO4Pj4CNLNDfP3QmLbZFGT4nz
zJUAni/BqPbPJEEqJbOTg44EED5McgeK
=LFjl
-----END PGP SIGNATURE-----

Note: resent because the first wasn't sent to the mailing list.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

makrober at gmail

Nov 21, 2009, 4:46 AM

Post #18 of 19 (1896 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

Melikamp T. Medley wrote:
> Thanks for your answers, David, Timo.
>
> A somewhat related question: is there a tool that is designed
> to produce "undetectable" encryption, i.e. something that is
> very plausibly random? I gather from your answers that gpg does
> not do that.
check out "Burp":
hyyp://www.geodyssey.com/cryptography
and read this:
http://www.geodyssey.com/cryptography/burp.txt
MacRober

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

classpath at arcor

Nov 21, 2009, 7:11 AM

Post #19 of 19 (1894 views)
Permalink

Re: Is it possible to decide what is a gpg file? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

makrober wrote:
> Melikamp T. Medley wrote:
>> Thanks for your answers, David, Timo.
>>
>> A somewhat related question: is there a tool that is designed
>> to produce "undetectable" encryption, i.e. something that is
>> very plausibly random? I gather from your answers that gpg does
>> not do that.
> check out "Burp":
> hyyp://www.geodyssey.com/cryptography
> and read this:
> http://www.geodyssey.com/cryptography/burp.txt
> MacRober
>

man openssl enc

OpenSSL supports BLOWFISH

SUPPORTED CIPHERS
base64 Base 64

bf-cbc Blowfish in CBC mode
bf Alias for bf-cbc
bf-cfb Blowfish in CFB mode
bf-ecb Blowfish in ECB mode
bf-ofb Blowfish in OFB mode

openssl enc -e -base64 -in /tmp/tina.msg -out /tmp/file.b64

openssl enc -e -bf-cbc -in /tmp/tina.msg -out /tmp/file.b64

openssl enc -d -bf-cbc -in openssl enc -d -bf-cbc -in
MSWRD573.TMP

enter bf-cbc decryption password:
bad magic number
bash-3.00$ ./a.out -d MSWRD573.TMP hghg.txt
./a.out: file crypto, V:1.20 (http://www.geodyssey.com/)
enter key or pass-phrase=>########

re-enter (to confirm)=>########

Decrypting from MSWRD573.TMP to hghg.txt
./a done, 1024 characters/bytes decrypted
bash-3.00$

BLURB works on the fly but at least my instance of openssl with blowfish
in cbc cipher block chaining mode did not decrypt the blurb output.

hence from what I can see, blurb introduces something fundamental new,
which cannot be achieved with openssl or gnuPG.

I tried to encrypt twice, with the same passphrase, which should be the
same as the ciphertext.

And opened the output in ghex2.

blurb does the trick. If you want to encrypt or decrypt a msg to
yourself or someone able to run blurb. Then it is a good bet.

If OpenSSL supports blowfish, why is it incompatible to blurb?

Sincerely yours,

Morten Gulbrandsen

主バイトホイットフィールド
_____________________________________________________________________
Java programmer, C++ programmer
CAcert Assurer, GSWoT introducer, thawte Notary
Gossamer Spider Web of Trust http://www.gswot.org
Please consider the environment before printing this e-mail!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (SunOS)
Comment: For keyID and its URL see the OpenPGP message header

iEYEAREIAAYFAksIAwcACgkQ9ymv2YGAKVRKsQCgx6TnhsKsvGIlySo2cr7ubkXA
jOgAoJZPr9s+CPnbadO28iAJY9dnS7MR
=9fjk
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads