Penetration Testing mailing list archives

Re: [PEN-TEST] Places to find crypto craking tools

From: Nicholas Harring <miniluv () MINILUV COM>
Date: Thu, 30 Nov 2000 21:04:46 -0600

-----BEGIN PGP SIGNED MESSAGE-----

What you're looking for is a tool to brute force the passphrase,
which is in and of itself useless without the private key in the
schemes you've mentioned. Actually, here's the thing, PGP is a PKI
infrastructure, DES and 3DES are symmetric encryption algorythms. PGP
uses RSA to encrypt session keys of a lower computational cost
algorythm. These lower cost algorythms are usually symmetric
encryption, such as 3DES or the new AES (Rjindael<sp?>). The RSA key
is of a public/private keyring nature, and thus not susceptible to
password guessing type attacks, but instead susceptible to brute
forcing the keyspace. RSA with a 1024 bit key is too large to make it
worth your time, unless your client is a medium to large sized
government with a lavish equipment budget and lots of spare time. You
might be able to use a tool to brute force the passphrase on a PGP
key if you in fact have said key, but I haven't heard of any tools to
do this as the situation is semi-unusual.
Hope that answers your question.
Nicholas Harring

/*
 *Are there any places to look for commercial or non-commercial
 *cracking tools for things like DES, 3DES, PGP...etc..
 *
 *My question is based on the following:
 *If you select a program like 3DES (156 bits iguess) and secure some
 *documents with password like:  IAMGOOD then the password is too
weak
 *to create a secure document that can (i guess) whitstand a
 *brute-force attack.
 *
 *The tools can/will be used to perform another form of pen-test:
 *Secure-crypto-passwords implementations. I have one client that
asked
 *me this question and a few hours on the web revealed nothing...
 */

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQEUAwUBOicVSQLoiaeIWIsTAQFPhAf3Wrtrinm2jOxaulkyhKHozSueWsJfOdlH
H9dIRcaJf6Dl7gD8AxZAcCscQtDq/kYnfpGmmOY9P+fSBSTAMdemsheNSYhme6Z/
9z/Akrw+n9AnR8D7rkz3ZT7bq5NSbEFbAFkNgH1Fium3WCrvZwOngaqcif0OguGd
2mmssY9QLXhaRlARcCmScjrlXtyaaI2sIt+VXXNE697iw6Qu96GhreeCzh/iXOUc
La+CW/dulNCVMkMt14D2xgHcWIBdI7IbuD5TMOL2COcN53DrYPbpMACicGAXpvJA
xvhZqZdhXICHqwGxgyHAwKaB0R7dyIkQQsMctmxicGgvFMiCKipA
=sTbP
-----END PGP SIGNATURE-----

Current thread:

[PEN-TEST] Places to find crypto craking tools Erick Arturo Perez Huemer (Dec 01)
- Re: [PEN-TEST] Places to find crypto craking tools Nicholas Harring (Dec 02)
  - Re: [PEN-TEST] Places to find crypto craking tools Jose Nazario (Dec 02)
    - Re: [PEN-TEST] Places to find crypto craking tools William D. Colburn (aka Schlake) (Dec 02)
    - Re: [PEN-TEST] Places to find crypto craking tools Crist Clark (Dec 02)
    - Re: [PEN-TEST] Places to find crypto craking tools Dom De Vitto (Dec 07)
    - [PEN-TEST] Strength of RSA keys -vs- length (was Re: Places to find crypto ...) Bennett Todd (Dec 10)
    - Re: [PEN-TEST] Strength of RSA keys -vs- length (was Re: Places to find crypto ...) Dom De Vitto (Dec 10)
    - Re: [PEN-TEST] Strength of RSA keys -vs- length (was Re: Places to find crypto ...) Dom De Vitto (Dec 10)
    - Re: [PEN-TEST] Strength of RSA keys -vs- length (was Re: Places to find crypto ...) Brian Russo (Dec 13)
    - Re: [PEN-TEST] Strength of RSA keys -vs- length (was Re: Places tofind crypto ...) Camillo Särs (Dec 13)
    - Re: [PEN-TEST] Strength of RSA keys -vs- length (was Re: Places tofind crypto ...) Clem Colman (Dec 13)