Penetration Testing mailing list archives
Re: [PEN-TEST] Tool to find out if file is encrypted
From: Brian Russo <brusso () PHYS HAWAII EDU>
Date: Tue, 5 Dec 2000 21:20:31 -1000
On Tue, Dec 05, 2000 at 06:48:35PM -0800, Crist Clark wrote:
Brian Russo wrote:On Tue, Dec 05, 2000 at 08:13:12AM +0100, Pawe? Krawczyk wrote:On Mon, Dec 04, 2000 at 09:38:05PM -0500, crazytrain.com wrote:Someone posted recently about a tool to find if a file is encrypted? I use IsEncrypted for just this job. It's by AccessData.The kind of tools can in general work in two ways - either recognizing known encrypted file formats (OpenPGP, S/MIME etc.) or estimating the file's randomness. For the latter you have an utility in The Coroner's Toolkit by Dan Farmer and Wietse Venema. See http://www.porcupine.org/forensics/Another thing you can try is to compress the file, and see how it does. e.g. 4 -rw-r----- 1 brian brian 465 Dec 5 15:28 foo 4 -rw-r----- 1 brian brian 847 Dec 5 15:30 foo.gpg 4 -rw-r----- 1 brian brian 878 Dec 5 15:30 foo.gpg.gz As you can see, the gpg'd (2048 ELG) file doesn't really compress at all, actually gets a bit bigger due to some overhead, because this lossless compression can't function well when the input is pretty random.Or it is a sign the data was already compressed. IIRC, gpg is going to compress by default before doing its encryption. Did you make sure to disable compression ('-z 0' I believe) when you did this test? What difference, if any, does it make? I'm curious.
You're right, thanks for pointing that out, I honestly didn't consider that, but it doesn't make any difference.. syntax: gpg -z 0 -e foo -rw-r----- 1 brian brian 465 Dec 5 15:28 foo -rw-r----- 1 brian brian 1050 Dec 5 20:22 foo.gpg -rw-r----- 1 brian brian 1081 Dec 5 20:22 foo.gpg.gz the filesizes are bigger.. because.. the plaintext wasn't compressed prior to encryption, but as you see the result is the same.. "random" data just *doesn't* compress.. as far as lossless compression goes Of course someone could make ciphertext that was compressible.. anyway, I was just pointing out that compressing something _may_ be useful as a tool of determining if something is encrypted.
Granted, this doesn't tell you a lot about the input, but it's somewhat unusual to have data that isn't encrypted, and has very high entropy - unless of course, it actually is just meaningless randomish garbage.This is obviously not true. Compressed data is neither "meaningless, randomish garbage" nor is it encrypted, but it does have a high entropy per byte (or some measure of data size).
Sorry for confusion on this one, since I had already noted compression above, I didn't explicitly note it here, I thought it was sort of implied, but I should have been explicit. -- +------------------------------------------------------------- | Brian Russo <brusso () phys hawaii edu> GPG ID: 54D81666 | 404E 87E8 DD0C 275B 742B 09AD 2243 839C 54D8 1666 | http://www.phys.hawaii.edu/~brusso/gpg_brian.asc
Current thread:
- [PEN-TEST] Tool to find out if file is encrypted crazytrain.com (Dec 05)
- Re: [PEN-TEST] Tool to find out if file is encrypted Paweł Krawczyk (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Brian Russo (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Crist Clark (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Brian Russo (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Brian Russo (Dec 06)
- Re: [PEN-TEST] Tool to find out if file is encrypted Paweł Krawczyk (Dec 06)