Call for action: Please send me an encrypted file
tl;dr: Please encrypt a file and send it to me together with a (short) description, how I can make it readable for me.
Everyone is talking about encryption and nobody does it. This is a short summary of my initial asumption. Did you ever try to encrypt a file and to send it someone? How did you do it?
This is a fairly simple and basic task which you can present in a beginner’s course:
Assume another person uses a public computer (Internet cafe, library, etc.). You want to send a file to this person and keep the content confidential to other people. Encrypt a file on your computer and send it to the person.
I ask myself how you would do it. Thatswhy I decided to conduct a little experiment: Dear reader, please encrypt a (no so big) file and send it to me (via mail to enc2018@kubieziel.de, you can use my PGP key if you like, comment this post or use some other means to contact me). Add some information which to decrypt the file. You have no idea how to do this? I desperately want to know about it. Please write a mail or leave a comment. You tried and failed? I desperately want to know about it. Please write a mail or leave a comment. I would like to know how easy or hard this task is.
I plan to analyse the data on a anonymous basis and will introduce some tools in later posts.
Comments
Display comments as Linear | Threaded
rozzin on :
rozzin on :
VGhpcyB0ZXh0IHdhcyBlbmNyeXB0ZWQgdXNpbmcgb3BlbnNzbCBhbmQgdGhlbiBt
YW51YWxseSBkZWNyeXB0ZWQuIG9wZW5zc2wgcGtleXV0bCAtZW5jcnlwdCAtY2Vy
dGluIC1pbmtleSAvaG9tZS9yb3p6aW4vd3d3a3ViaWV6aWVsZGUuY3J0Cg==
Decode the above ciphertext by piping it through “openssl base64 -d | sudo openssl pkeyutl -decrypt -inkey /etc/letsencrypt/live/kubieziel.de/privkey.pem” (substituting the correct path to the private key on the https://kubieziel.de server, if “/etc/letsencrypt/live/kubieziel.de/privkey.pem” is not the correct path).
Jens Kubieziel on :
rozzin on :
Qce9abkM179JC1YGf/h+lsxD+sQz97Pl7HSjE5KrL4+AZBp341Sx1Vw9CnQseJkb
NbT+lPWVixGcVxd0Pkc6htaVQ0RVe94fMFsKG/vfUvhsWsGbIuKLrncpiiWKOjIw
Wv3sCSy8IYm92vNW/CbMbRqQaWVN7/wT15S/F+roNuaYWIr3Zk09PHalk4En1w2F
mb7Vz2FFgulaP2Q+R5OClETrSDdCFtN2K4Sl17AA8Nz8JYj+HxQxe7eEqBTM7pmD
nAA4d4aUyUoIFufOpc4os64piJ5OLojw5JNtX9n7gQlp2vIID+DcJE9h0xa7b1/C
uXahgjpyi3b5Smx/cmHW303dvjL+He5lUdwQXsN4gCv0GckeoS01yIMtMt4BmqkW
eDYqjmYiVSBIZZL44QpLsrHmwW0GmBFK2vp2iMOykP0s8qyZMERERgMNHwdxhHYO
hnOVsiGH6Ak5OHQsSNxHjBEfSEUfjISe23dKB8ZQHl9baNev0Xq84z/75mj9vswV
mXK7oSz35wSycISiG1UtRhMlgHWSWIV4z7WdQi6T7DNu5Sw7ayQLfqNeO7JYrFlG
g4rMkm/+520XJCi4sVparmSn/WOD8x9g8Wem8MDB8IXsdWFRhdYM0mE/qLJzGA77
Kr0ZI7S737srcAT9SsXIFyog45OzAsYpUqy+7MSdqDI=
(and it should be clear only to Jens, or to whomever has admin access to the server..., that it was actually supposed to be exactly that)
There’s a lesson here about “quick + clever hacks for security”....
I also just sent you an e-mail with an enigmail-enabled Thunderbird (though not with an engimail-enabled _identity_, and without having your public key in advance), to see how the process degraded.
That e-mail ended up being sent with no encryption: after having explicitly selected the option to encrypt the message in my default, enigmail-enabled profile, I selected an auxiliary profile (different sending e-mail address) which had not had enigmail enabled, and the decision to encrypt was `quasi-silently’ discarded (quietly enough that I managed to not notice).
Jens Kubieziel on :
rozzin on :
$ gpg --verbose --search enc2018@kubieziel.de
gpg: data source: https://192.94.109.73:443
(1) enc2018@kubieziel.de
2048 bit RSA key 92D4F7628F0E7F25, created: 2018-02-01
Keys 1-1 of 1 for “enc2018@kubieziel.de”. Enter number(s), N)ext, or Q)uit >
It has no signatures on it.
If someone other than you generated that, it seems like a bit of an odd thing to have done--since an actual attacker hoping to decrypt and read e-mail destined for that address would have to be in a position to even receive/intercept the encrypted e-mail .
Maybe someone was hoping to read secrets posted to your blog comments, though.
Jens Kubieziel on :
https://kubieziel.de/blog/archives/1634-Falscher-Schluessel-fuer-enc2018kubieziel.de.html
Atari-Frosch on :
rugk on :
here is a link: https://snip.dssr.ch/?0e8c45844b18d93d#RJc3VtQUk12QIU5MdmX5fPlNgaOFmn2SREnoc3AY+FQ=
(using PrivateBin, see https://privatebin.info/)
Password sent via mail.
Attention: You can only open it once, afterwards it destroys itself.
Sky on :
Typically I would not separately encrypt a file - I would attach it within an encrypted message. GPGTools on OSX makes this so easy you don’t even notice it’s happening.