[SGVLUG] bcrypt alternative?

Sean O'Donnell sean at seanodonnell.com
Wed Jun 13 10:00:35 PDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just a follow-up...

I wasn't able to decrypt the files, but a more common-sense approach did
the trick.

The situation was this: Old disgruntled sysadmin leaving the Co. needed
to send me a snapshot of our oracle data backups before he departed.

He decided (on his own) that the best way to get the 'sensitive' data
from our office in Florida, to our in Arcadia, was to:

1) buy a $140 500GB Seagate External USB HDD

2) encrypt the (16GB worth) files using bcrypt

3) split large (single) files into smaller (multiple) files using lxsplit,

4) snail-mail the hdd via fedex overnight shipping.

Needless to say, this was a big waste of our time and money.

The archive itself was originally 16GB. What he sent me was 10gb of
undecryptable data, which cost me (and the co.) close to a week of
wasted time.

He said he used no compression, so I'm still puzzled at how the archive
resulted in 10gb instead of 16gb, but *whatever*.

What I did (instead) was this:

1) Gained temporary root-access and connected to the remote server via ssh.

2) compressed the files using tar+bzip2 (4hrs)

3) SCP'ed the files over our VPN (4.5hrs)

4) decompressed the files (2.5hrs)

NOTE: Compressing the 16GB archive using tar+bzip2 resulted in a 2.4GB
file. (80% compression, neat!)

The files were oracle database (.dbf) files, which I assume are
plain-text, as afaik binary would not be able to be compressed as much.
Is that an accurate conclusion?

Anyhow, thanks for all your help John, and those of you who suffered
through my random rants about this issue via IRC. =p

Sean O'Donnell wrote:
> John E. Kreznar wrote:
>> "Sean O'Donnell" <sean at seanodonnell.com> writes:
>>
>>>> I found 'mcrypt' and wanted to perhaps give it a try, but I'm unable to
>>>> compile it from source on either RHEL4 (as one generally expects) or
>>>> Slackware 10.2 (surprisingly).
>> mcrypt is a Debian package.  Got a Debian system?  Install the package
>> and try it there.  
> 
> I guess it's about time I put a Debian VM on our (sandbox) VMware ESX
> Server.
> 
>> According to the package description, it does
>> indeed do blowfish, which I gather is the encryption used by bcrypt.
>>
> 
> I'm aware that it does support the blowfish cipher, but when I mentioned
> that yesterday in #crypto, someone suggested that I may be bound to
> bcrypt (only) due to possible headers (created by/for bcrypt) that
> mcrypt may not be able to interpret, thus leaving me SOL.
> 
> I guess I'll give debian + mcrypt a try and see how that goes.
> 
> Thanks, John.
> 

- --

Sean O'Donnell
South Pasadena, CA

sean at seanodonnell.com
http://seanodonnell.com

PGP Public Key ID: 0xF57FB9E5
PGP Public Key Server: http://pgp.mit.edu

*The important thing is not to stop questioning. Curiosity has its own
reason for existing.*


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFGcCKzCUrh+ax2kDURAlV9AKCw4MQTZK5hHpp/3AAT4hn4SlfmgACePSe8
X41dCEKYxpJrsepYqvHD/+k=
=aUu/
-----END PGP SIGNATURE-----

More information about the SGVLUG mailing list