Cracking my own code
September 18, 2014 1:28 PM

I have just discovered that I have two public PGP keys from 1996 and 1997. I recovered the private keys, but I've forgotten the passphrase. Can this be defeated?

The original keys were made in an Apple OS9 version of FreePGP, and it took combining hardware from several old machines to get the hard drive with the private keys sent to my modern machines, all of which was a wonderfully entertaining and frustrating effort. (My desk looks like a horror movie for PCs with parts strewn everywhere.)

So now I have both keys on Windows 7, Ubuntu, and if need be, the newest OSX. I have beat my head against the wall trying to remember the passphrase, or even the context the keys might have been in, but I just don't remember.

I have John the Ripper (and the GUI Johnny, because why not.) but for that to work I believe I'd need to combine the public and private keys into an unshadowed file. Maybe.

I understand that trying to crack the keys themselves is a futile gesture, but the passphrase is going to be between 6 and 20 characters using only letters, numbers, and standard US keyboard symbols, so it shouldn't be insurmountable.

The error I keep getting with the non-combined keys is "no hash".

So, can this be done? I don't really need it, I have a new PGP key of much stronger encryption if I need it, but there is something nostalgic about being able to use my almost 20 year old key if I ever wanted to.

Any suggestions? I'm happy to answer any other questions about available hardware and key type if that makes any difference.
posted by quin to Computers & Internet (4 answers total) 3 users marked this as a favorite
Have you considered hypnosis?

A similar question (20 char passphrase) where the answer was brute force over several billion years.
posted by roue at 3:09 PM on September 18, 2014


I would start by social engineering myself, honestly. You need to come up with as many passwords as you were likely to use — many of mine end up being references that would be oblique to outsiders, but make sense to me. I would also look for all the places you might have written them down. Did you keep any backup password lockers or anything? Any old emails you could trawl?
posted by klangklangston at 4:26 PM on September 18, 2014


John the Ripper is designed to be used on passwd file hashes, I don't think it supports gpg keys natively, although it would certianly be possible to run gpg in a loop feeding it a list of passwords via the --passphrase option. You can probably get John to generate such a list. Passphrases on gpg keys are really only good to prevent it from being used for a while if someone steals it, before you get a chance to revoke it. It's entirely crackable, eventually.

However, it's quite likely that public keys from the mid 90's are completely broken these days. Public key encryption is much weaker, bit for bit, than non-public-key encryption. So your old 768 bit keys from the 90's are horribly weak these days, when 1024 bit keys (which are 2^256 times stronger!) are no longer considered wise, 2048 is the default, and the paranoid are already wondering if 4096 is big enough. The 256 bit encryption mentioned above is not public key encryption, I'm sure.

Then too, pgp in the 90's used hashes that are now considered broken, and algorithms that are deprecated at best.

So, rest easy.. if you can't manage to crack the password, the NSA can certainly whip up a new, non-password protected copy of your old private key. :/
posted by joeyh at 4:35 PM on September 18, 2014


What software was used to generate the PGP keys? Okay, go find out what algorithm that software used to encrypt the private key.

If you're lucky, your private key is encrypted using vanilla DES based on the year it was created. A DES password was brute forced in 22 hours back in 1999. I imagine with a modern processor, you're looking at a similar max time.

If you're unlucky, your private key is encrypted using IDEA. If that's the case, brute forcing your passphrase is the most likely method to succeed.
posted by bfranklin at 7:32 PM on September 18, 2014


« Older How to develop a positive worldview   |   Mac woes - how do I print my documents like I want... Newer »
This thread is closed to new comments.