Hi,
I'm having trouble doing a known plaintext attack via Passware, and can't see what I'm missing. What does the following mean
1. I locate a file called "Bunny8sm.jpg" via FTK (P-size 4096/ L-size 3077) (11/13/2000). It's ALSO listed in an encrypted zip archive called "Mystuff.zip" as size 3077 ( date 11/13/2000)
2. I export it out and verify its size is still 3077 bytes
3. I run Pkzip to try and match it's "twin"in Mystuff.zip, and get the following compression rates
n - 3037 (close!)
x- 3037 (close!)
f- 3045
s-3062
0- 3199
If I can match compression rates, Passware should wack it.
I repeated this procedure with two other files, and while close, no direct match! I know that PKzip v 204g was used, but what the heck am I missing?
Thanks,
Mike
Did you use PKzip v 204g to compress Bunny8sm.jpg?
Hello Bithead,
Yes, I used PKzip 204g, tried compressing in both protected and real mode s- just in case (- I compressed with the following options
-ex, -en, -ef, -es,-e0
but I couldnt get a final size equal to the Bunny8sm.jpg.
This afternoon I tried a different file that was supposed to be good as well. It read 21,216 bytes in the mystuff.zip archive via Quickview. However, I again tried compression with PKZip 204g with the above 5 options and again could not get a matching compression so as to move forward and use Passware. This is so freakin strange.
Same file name as in encrypted zip file
Same file size as in encrytped zip file
Supposedly using same compression program
Im trying all five compresson methods (of course not encrypting)
but can't get matching file zip file size to its "twin" in mystuff.zip
ANY, any ideas or suggestions would be appreciated.
Thanks,
Mike
The file size should not be exactly the same.
A good check that the plain file is correct is the size difference between it and the encrypted file the encrypted file must be exactly 12 bytes larger. Also, the files must have the same CRC and uncompressed sizes.
Thanks everyone! The problem was that my instructor thought I was talking about uncompressed file sizes while I was talking about compressed. i.e. When attempting known plain text attack (using PKZip) one needs to match the uncompressed known file size to it's "twin" in the compressed and encrypted archive. Once one determines that these file sizes match, THEN one can begin compressing the known file using the various -en, -ex, etc options and trying Passware or whatever. What a headache this was, simple misunderstanding re when file sizes matter, AND when they dont'!