Decrypting Private Keyring. - PGP

This is a discussion on Decrypting Private Keyring. - PGP ; Hi All. This is a somewhat desperate (and rather embarresed) plea for help. Some years ago (2000) I created a key under PGP. Following the usual advice, I made sure my pass-phrase was as memorable as possible, and kept backup ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Decrypting Private Keyring.

  1. Decrypting Private Keyring.

    Hi All.

    This is a somewhat desperate (and rather embarresed) plea for help.

    Some years ago (2000) I created a key under PGP. Following the usual
    advice, I made sure my pass-phrase was as memorable as possible, and kept
    backup copies of my keyring.

    Now, however, I discover that my passphrase is not quite as good as it
    should be. I am 95% sure of the contents, but no matter how hard I try, I
    cannot come up with the correct passphrase.

    In an attempt to resolve the problem, I downloaded pgpcrack - but so far I
    cannot get this to work sucessfully (under linux).

    Questions:
    Do I need to import my keyring into the same version of PGP that it was
    originally created in? Could there be any explanation other than a bad
    passphrase for my difficulties? And are there any tools I can use to make
    recovery a little easier? I'm damn sure I know the passphrase, with
    perhaps the exception of a punctuation charecter or two, so brute force
    should be trivial - if I knew the procedure to apply...

    Any pointers?

    Cheers,

    'Drew.


  2. Re: Decrypting Private Keyring.

    "Andrew Williamson" wrote:

    | Hi All.
    |
    | This is a somewhat desperate (and rather embarresed) plea for help.
    |
    | Some years ago (2000) I created a key under PGP. Following the usual
    | advice, I made sure my pass-phrase was as memorable as possible, and kept
    | backup copies of my keyring.
    |
    | Now, however, I discover that my passphrase is not quite as good as it
    | should be. I am 95% sure of the contents, but no matter how hard I try, I
    | cannot come up with the correct passphrase.
    |
    | In an attempt to resolve the problem, I downloaded pgpcrack - but so far I
    | cannot get this to work sucessfully (under linux).

    I doubt it will help unless it is a brute force passphrase guesser

    | Questions:
    | Do I need to import my keyring into the same version of PGP that it was
    | originally created in?

    Probably a good idea

    | Could there be any explanation other than a bad
    | passphrase for my difficulties? And are there any tools I can use to make
    | recovery a little easier? I'm damn sure I know the passphrase, with
    | perhaps the exception of a punctuation charecter or two, so brute force
    | should be trivial - if I knew the procedure to apply...
    |
    | Any pointers?
    |
    | Cheers,
    |
    | 'Drew.


    --
    There are some words which I have known since I was a schoolboy.
    "With the first link, the chain is forged. The first speech censored,
    the first thought forbidden, the first freedom denied, chains us all
    irrevocably." These words were uttered by Judge Aaron Satie -- as a
    wisdom, and warning. The first time any man's freedom is trodden on,
    we're all damaged.

    - Jean-Luc Picard

  3. Re: Decrypting Private Keyring.

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Andrew Williamson wrote:

    > Do I need to import my keyring into the same version of PGP that it
    > was originally created in?


    It shouldn't be a problem to use older keyrings with newer PGP
    versions. I've used the same keyrings since v6.5.3 (I now have them
    in v8.0.3).

    > Could there be any explanation other than a bad passphrase for my
    > difficulties?


    I can't really think of anything other than not typing in the correct
    passphrase. I've never had to use any cracking tools to recover a
    passphrase, so without any experience with that, I can't help you
    there. Good luck!

    - --
    Melissa

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (GNU/Linux)

    iD8DBQE/1+8+KgHVMc6ouYMRAiO2AKC0HxhAQDf45zCnoJ695UZ1UxtRJQ CfYnVF
    qyEW3c7SEGmr6+9PoK5c1vU=
    =aO6i
    -----END PGP SIGNATURE-----

  4. Re: Decrypting Private Keyring.

    Andrew Williamson wrote:

    > Hi All.
    >
    > This is a somewhat desperate (and rather embarresed) plea for help.
    >
    > Some years ago (2000) I created a key under PGP. Following the usual
    > advice, I made sure my pass-phrase was as memorable as possible, and kept
    > backup copies of my keyring.


    You mean you came up with a very bad passphrase!

    > Now, however, I discover that my passphrase is not quite as good as it
    > should be.


    You mean it turned out to be better then you thought!

    > I am 95% sure of the contents, but no matter how hard I try, I
    > cannot come up with the correct passphrase.


    Forgetting passwords and passphrases is very common so no suprise here.
    Being 95% or 99% sure does not save you, with passwords it's a binary
    outcome - you either know it or you don't.

    If you run Linux then do a google search for "gringotts", it's an excellent
    package for a forgetful mind. I use it to store my passwords, banking
    information, credit card PINs etc. You'll still need a password for that
    too but at least you'll have only one to worry about (and make sure you
    choose a "good" one).

    > In an attempt to resolve the problem, I downloaded pgpcrack - but so far I
    > cannot get this to work sucessfully (under linux).


    Brilliant! Otherwise we'd all started seriously thinking about validity of
    GPG/PGP.

    > Questions:
    > Do I need to import my keyring into the same version of PGP that it was
    > originally created in?


    Would it make any difference? NO!

    > Could there be any explanation other than a bad
    > passphrase for my difficulties?


    I don't think so. But try extracting you key pair, creating new key rings
    then importing the keys into a new key ring. If after that you still can't
    guess your passphrase then you definitely need a new key pair. And have
    revocation certificate for your old key handy.

    > And are there any tools I can use to make
    > recovery a little easier?


    Maybe, maybe not but there would be no use of PGP if the answer to your
    question was positive.

    If you design a gun the whole purpose of it would be to kill, wouldn't it?
    You don't expect a gun to heal by pointing it at somebody who you just shot
    dead, do you?

    You can't expect PGP to fail at something that was the whole point of its
    design!

    > I'm damn sure I know the passphrase, with
    > perhaps the exception of a punctuation charecter or two, so brute force
    > should be trivial - if I knew the procedure to apply...


    LOL ... I doubt that somebody would tell you about such tool if it existed.
    It would be like burning your own flag , there are quite a few PGP fans
    here, you know .

    > Any pointers?


    Yes. Get a new key pair!
    We've all had it we've all got over it.

    --
    Jabber: molchun@jabber.org
    PGP ID: 0x304563A8


  5. Re: Decrypting Private Keyring.

    Andrew Williamson writes:

    > In an attempt to resolve the problem, I downloaded pgpcrack - but so far I
    > cannot get this to work sucessfully (under linux).


    One of the nice things about PGP is that it's very secure. If your
    passphrase was non-trivial and you've forgotten it, everything it
    protects is gone forever. Cracking programs are useless against a
    reasonably well chosen passphrase.

    > Could there be any explanation other than a bad passphrase
    > for my difficulties?


    You could be pressing the wrong keys, if you have a different keyboard
    layout and you touch-type. That's a long shot, though. In some
    versions of PGP you can set the program to echo the passphrase so that
    you can double-check it as you type.

    > And are there any tools I can use to make recovery
    > a little easier?


    There isn't any recovery. If you don't know the passphrase, your data
    is gone forever.

    > Any pointers?


    Make sure you don't forget your passphrase next time. If the risk of
    forgetting represents a greater potential loss than the risk of it being
    found, you might want to record it somewhere for safekeeping.

    --
    Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

  6. Re: Decrypting Private Keyring.

    Andrew Williamson wrote:

    > In an attempt to resolve the problem, I downloaded pgpcrack - but so far I
    > cannot get this to work sucessfully (under linux).
    >
    > Questions:
    > Do I need to import my keyring into the same version of PGP that it was
    > originally created in?


    Possibly. It depends on which version you created the key with, and
    which version you are trying it with now. In general, it certainly
    wouldn't hurt to use the same version.

    > Could there be any explanation other than a bad passphrase for my
    > difficulties?


    Yes. The key could be corrupt or it could be a PGP version problem or
    bug. For example, there were recent problems between PGP 8 and
    earlier versions with handling non-ASCII characters in passphrases.

    > And are there any tools I can use to make recovery a little easier?
    > I'm damn sure I know the passphrase, with perhaps the exception of a
    > punctuation charecter or two, so brute force should be trivial - if
    > I knew the procedure to apply... Any pointers?


    The best you can really do is to try and brute force it using the same
    version of PGP you generated the key with. The more you can remember
    of your passphrase the better, of course.

    David

  7. Re: Decrypting Private Keyring.

    Molchun wrote:

    | > In an attempt to resolve the problem, I downloaded pgpcrack - but so far I
    | > cannot get this to work sucessfully (under linux).
    |
    | Brilliant! Otherwise we'd all started seriously thinking about validity of
    | GPG/PGP.

    No, pgpcrack cannot crack PGP, it is a dictionary (i think, might be
    brute force) pass phrase guesser.

    --
    There are some words which I have known since I was a schoolboy.
    "With the first link, the chain is forged. The first speech censored,
    the first thought forbidden, the first freedom denied, chains us all
    irrevocably." These words were uttered by Judge Aaron Satie -- as a
    wisdom, and warning. The first time any man's freedom is trodden on,
    we're all damaged.

    - Jean-Luc Picard

  8. Re: Decrypting Private Keyring.

    Andrew Williamson wrote:
    > Hi All.
    >

    [...] I'm damn sure I know the passphrase, with
    > perhaps the exception of a punctuation charecter or two, so brute force
    > should be trivial - if I knew the procedure to apply...

    With a little bit of programming (good time to start if you don't do it
    yet) you can try some permutations of your passphrase. Some
    PGP-command-line tools allow to give the passphrase on the commandline.
    It would take you at least hours to write the program and maybe days or
    weeks of computing time to find the key but if you really really need
    that key it might be worth trying. If not: just make a new key and make
    sure not to forget the passphrase, just like anybody else.

    Greets,
    Hans


+ Reply to Thread