OK, we all know the drill (after 3 Firefox crashes I cba to write up everything again). There’s a crypto challenge in DBIR 2010. This is what I know (or think to know) so far:
- There’s crypto data on the last page. It’s Base64 encoded OpenSSL encrypted (“Salted__”) something. No visible block delimiters, no obvious magic numbers... No idea which algorithm it might be. It’s 400 Bytes of data, minus 8 Bytes for the “Salted__” prefix, minus 8 Bytes for the actual salt = 384 Bytes.
That means: 12 blocks with 32 Bytes each, or 6 blocks with 64 Bytes.
- There’s a nearly invisible JPEG on the first page (a b/w fingerprint picture). Extracting this picture from the PDF and feeding it to stegdetect yields a high-confidence rating for JPHide steganography data in the picture.
- stegdetect (but no other JPEG analysis tool I have tried) also complains about an erroneous 10 Bytes between the last JPEG block and the EOF marker (0xFFD9. These bytes are: 0A 7F FA BB AF FC 01 FE B8 AB. They have no meaningful ASCII or Unicode representation. Rotating them around bit by bit through the ASCII table does not yield a word. Feeding them as a passphrase (either binary or ascii) to stegcrack does not succeed.
That’s where I stand now. There’s others who are also attempting to defeat the challenge, but so far last year’s challenge seems to have been easier (it was solved in about a day).
EDIT: I have fed the dictionary file made out of the report through a steganography tool (for the b/w image). @bachrach has fed it through OpenSSL. It seems that no single word in the report is the passphrase. I also looked for occurances of “password, passphrase, pass, key” etc. - no clues.
In a previous blog post, I had written about a couple of ideas for the DBIR cover challenge. Jan (a colleague from the DCSEC group of University of Hanover) and me finally solved the challenge today and I found out I HAD THE CORRECT SOLUTION FOR OVER A WE
Tracked: Aug 27, 00:16