Skip to content

Call for action: Please send me an encrypted file

tl;dr: Please encrypt a file and send it to me together with a (short) description, how I can make it readable for me.

Everyone is talking about encryption and nobody does it. This is a short summary of my initial asumption. Did you ever try to encrypt a file and to send it someone? How did you do it?

This is a fairly simple and basic task which you can present in a beginner’s course:

Assume another person uses a public computer (Internet cafe, library, etc.). You want to send a file to this person and keep the content confidential to other people. Encrypt a file on your computer and send it to the person.

I ask myself how you would do it. Thatswhy I decided to conduct a little experiment: Dear reader, please encrypt a (no so big) file and send it to me (via mail to enc2018@kubieziel.de, you can use my PGP key if you like, comment this post or use some other means to contact me). Add some information which to decrypt the file. You have no idea how to do this? I desperately want to know about it. Please write a mail or leave a comment. You tried and failed? I desperately want to know about it. Please write a mail or leave a comment. I would like to know how easy or hard this task is.

I plan to analyse the data on a anonymous basis and will introduce some tools in later posts.

Trackbacks

Qbi's Weblog on : Zahlen zum Verschlüsselungsexperiment

Show preview
Ich hatte euch gebeten, mir eine verschlüsselte Datei zu schicken. Die An- und Vielzahl der Antworten war überwältigend. Vielen Dank an alle, die mitmachten! Doch was kam dabei heraus? Unten findet ihr eine Auswertung in Zahlen: Insgesamt erhielt ich k

Comments

Display comments as Linear | Threaded

rozzin on :

This text was sent TLS-encrypted to your webserver. It was automatically decrypted upon receipt.

rozzin on :

Hmm.... Here’s an example that will at least probably not be automatically decrypted:

VGhpcyB0ZXh0IHdhcyBlbmNyeXB0ZWQgdXNpbmcgb3BlbnNzbCBhbmQgdGhlbiBt
YW51YWxseSBkZWNyeXB0ZWQuIG9wZW5zc2wgcGtleXV0bCAtZW5jcnlwdCAtY2Vy
dGluIC1pbmtleSAvaG9tZS9yb3p6aW4vd3d3a3ViaWV6aWVsZGUuY3J0Cg==

Decode the above ciphertext by piping it through “openssl base64 -d | sudo openssl pkeyutl -decrypt -inkey /etc/letsencrypt/live/kubieziel.de/privkey.pem” (substituting the correct path to the private key on the https://kubieziel.de server, if “/etc/letsencrypt/live/kubieziel.de/privkey.pem” is not the correct path).

Jens Kubieziel on :

Thanks for your effort. However your text is just Base64-encoded, not encrypted. Everyone can “decrypt” it by just Base64-decoding it.

rozzin on :

Well, it should be obvious to everyone reading the text decoded form the base64 that it was actually supposed to be something more like this:


Qce9abkM179JC1YGf/h+lsxD+sQz97Pl7HSjE5KrL4+AZBp341Sx1Vw9CnQseJkb
NbT+lPWVixGcVxd0Pkc6htaVQ0RVe94fMFsKG/vfUvhsWsGbIuKLrncpiiWKOjIw
Wv3sCSy8IYm92vNW/CbMbRqQaWVN7/wT15S/F+roNuaYWIr3Zk09PHalk4En1w2F
mb7Vz2FFgulaP2Q+R5OClETrSDdCFtN2K4Sl17AA8Nz8JYj+HxQxe7eEqBTM7pmD
nAA4d4aUyUoIFufOpc4os64piJ5OLojw5JNtX9n7gQlp2vIID+DcJE9h0xa7b1/C
uXahgjpyi3b5Smx/cmHW303dvjL+He5lUdwQXsN4gCv0GckeoS01yIMtMt4BmqkW
eDYqjmYiVSBIZZL44QpLsrHmwW0GmBFK2vp2iMOykP0s8qyZMERERgMNHwdxhHYO
hnOVsiGH6Ak5OHQsSNxHjBEfSEUfjISe23dKB8ZQHl9baNev0Xq84z/75mj9vswV
mXK7oSz35wSycISiG1UtRhMlgHWSWIV4z7WdQi6T7DNu5Sw7ayQLfqNeO7JYrFlG
g4rMkm/+520XJCi4sVparmSn/WOD8x9g8Wem8MDB8IXsdWFRhdYM0mE/qLJzGA77
Kr0ZI7S737srcAT9SsXIFyog45OzAsYpUqy+7MSdqDI=


(and it should be clear only to Jens, or to whomever has admin access to the server..., that it was actually supposed to be exactly that)

There’s a lesson here about “quick + clever hacks for security”....

I also just sent you an e-mail with an enigmail-enabled Thunderbird (though not with an engimail-enabled _identity_, and without having your public key in advance), to see how the process degraded.

That e-mail ended up being sent with no encryption: after having explicitly selected the option to encrypt the message in my default, enigmail-enabled profile, I selected an auxiliary profile (different sending e-mail address) which had not had enigmail enabled, and the decision to encrypt was `quasi-silently’ discarded (quietly enough that I managed to not notice).

Jens Kubieziel on :

Now it worked. This is quite an interesting approach. Thanks for your efforts.

rozzin on :

Interestingly, _someone_ has published an OpenPGP key marked for enc2018@kubieziel.de:


$ gpg --verbose --search enc2018@kubieziel.de
gpg: data source: https://192.94.109.73:443
(1) enc2018@kubieziel.de
2048 bit RSA key 92D4F7628F0E7F25, created: 2018-02-01
Keys 1-1 of 1 for “enc2018@kubieziel.de”. Enter number(s), N)ext, or Q)uit >


It has no signatures on it.

If someone other than you generated that, it seems like a bit of an odd thing to have done--since an actual attacker hoping to decrypt and read e-mail destined for that address would have to be in a position to even receive/intercept the encrypted e-mail .

Maybe someone was hoping to read secrets posted to your blog comments, though.

Jens Kubieziel on :

This is really strange. I put out a warning in German (and also a request to send my the private part :-))
https://kubieziel.de/blog/archives/1634-Falscher-Schluessel-fuer-enc2018kubieziel.de.html

Atari-Frosch on :

I sent you a text file attached to an e-mail, sent and encrypted with Thunderbird/Enigmail to the given email address, using your well known public key. :-)

rugk on :

Hi,
here is a link: https://snip.dssr.ch/?0e8c45844b18d93d#RJc3VtQUk12QIU5MdmX5fPlNgaOFmn2SREnoc3AY+FQ=
(using PrivateBin, see https://privatebin.info/)

Password sent via mail.
Attention: You can only open it once, afterwards it destroys itself.

Sky on :

Yes to Atari-Frosch who used enigmail - I’ve used it and it’s easy. I sent you an actual encrypted file just now using GPGTools/OpenPGP on OSX to encrypt the file. On OSX the encryption process is a single right-click (context-sensitive menu) to encrypt, plus type a password. Same for decryption if you install GPGTools. You can install it on a public computer, create no key (or a garbage key if required), decrypt my message (password encrypted only - no PGP key required) and throw away the GPGTools install afterward if you wish.

Typically I would not separately encrypt a file - I would attach it within an encrypted message. GPGTools on OSX makes this so easy you don’t even notice it’s happening.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Form options
cronjob