Cracking an old ZIP file to help open source the ANC's "Vula" secret crypto code
316 points
29 days ago
| 8 comments
| blog.jgc.org
| HN
edent
29 days ago
[-]
One thing I found fascinating about Vula was how the lack of usability of the system was its downfall.

You had highly committed activists, fighting for freedom, up against a murderous regime - and yet they still failed to use the system properly.

Activists left documents unencrypted. Keys were easily obtainable. Some important communications were sent in the clear because people found the software so cumbersome.

We all know that setting up PGP and using it properly is a pain in the neck. Security is usability.

I wrote a bit more about Vula at https://shkspr.mobi/blog/2014/01/the-hardest-problem-in-encr...

reply
amne
29 days ago
[-]
imagine losing your house keys and never being able to enter it again.

usability, most of the times, reduces security.

reply
jll29
28 days ago
[-]
"Imagine"? There are plenty of folks who lost access to the crypto wallets with millions in it.
reply
bravetraveler
28 days ago
[-]
I used mining as a stability test, there's a small fortune floating somewhere. There was a time one could feasibly get a full Bitcoin every week with a single core Athlon64 chip running 24/7

Before Agent 47 starts sleuthing, the wallet is on a mechanical drive that almost surely didn't make it through at least a dozen moves over just as many years. Good luck.

reply
rurban
29 days ago
[-]
I've got a look at his number generator for the secure one-time pad, and Melissa O'Neil would be proud. Almost pcg. It uses the powerbasic system Rand LCG to switch between 3 new rand1-3 functions, two of them with different LCG's.

https://github.com/Vulacode/RANDOM/blob/d6a1a1d694b22e6a115b...

reply
20k
28 days ago
[-]
Man that one time pad generation is...... not good, I would bet that its very possible to recover the seed state for the different generators, LCGs are trivial to reverse engineer. It looks like the PRNG's are seeded by the system RNG as well, which means that you only need to recover the initial seed of the system's LCG to reverse engineer the one time pads

I don't know what the seed size is of the system LCG, but if its 32-bit (which I think it is), you could simply bruteforce the seed state, and do entropy analysis on the result to crack it in like an hour tops

reply
tetha
28 days ago
[-]
Hm. This is crypto from 30 years ago. And from reading around, the OTP generation never left UK jusidiction, so it would be a black box to attack. Handwaving how this is trivial to defeat with current compute and crypto analysis with full information feels quite unfairly dismissive, even if correct.

Especially since it was strong enough that human error dominated.

reply
20k
24 days ago
[-]
I was having more of a think about this, one of the issues with LCG's is that they're linear, which means that even relatively basic cryptographic analysis can defeat them. The issue here particularly is that, say you have a cryptoscheme where you encode ascii characters. 95% of your plaintext data has one of the two following formats in binary:

011xxxxx 010xxxxx

And of that, about 70% is:

0110xxxx 0100xxxx

This means with a deterministic seed, you're giving away 3 known bits of state away with every with every encrypted letter, and a good chance at a 4th

That analysis does not require a particularly deep understanding of the cryptosystem to be able to perform, known plaintext is going to be one of the first things that anyone tries. Its less complicated than many crypto schemes that were broken

Disclaimer: I have no idea how this system encodes things as the technology predates my knowledge, and it might not be so straightforward as this

reply
nxobject
29 days ago
[-]
And the original programmer wrote a of this while having to pick up crypto and BASIC on the go, too. Never roll your own crypto is the first rule, unless you were in the late 80s and working with fancy new tech…
reply
Vecr
29 days ago
[-]
Nowhere near good enough for an actual One Time Pad, obviously.
reply
sweeter
28 days ago
[-]
I find the fall of the South African apartheid pretty fascinating all around. I wasn't really even aware of this aspect. Fun fact, this is where the BDS movement started (boycott, divest, sanction) and the majority opinion at the time was that the apartheid would never end... but after a long time of continuous pressure from many different pressure points, it caused a lot of stress which led to its collapse.

pretty interesting that this was done on a Toshiba T-100. What a neat computer.

reply
geenkeuse
29 days ago
[-]
Fascinating. We have been through so much here in SA. Hoping that this GNU of ours sets back the Doomsday Clock.

Recommendation - Action Kommandant. A peek into the life of Ashley Kriel, one of our martyrs and the pride of Bonteheuwel.

reply
nxobject
29 days ago
[-]
Thank you so much for sharing his name - it has been a passion of mine to learn about some of the gifted fellow travelers of the ANC, whose stories (and diverse talents!) are often overlooked…

I learned about Athol Fugard in secondary school English, from a bolshie teacher who fled from SA to Canada in the 80s to avoid surveillance, and it opened my eyes.

My best wishes to the SA people as well. A nation of so many gifted people and natural riches deserves so much better. At least it seems like the era of sclerotic internal politics in the ANC is over.

reply
raymond_goo
25 days ago
[-]
reply
atlas_hugged
29 days ago
[-]
TIMBOBIMBO hahahhaha
reply
rurban
29 days ago
[-]
The keys were personalized though. So this was for Timbo
reply
declan_roberts
29 days ago
[-]
Read through the whole article to see the password reveal. Was not disappointed!
reply
Thorrez
29 days ago
[-]
That wasn't the password of the zip file that John cracked. TIMBOBIMBO was the password of a file that was inside the zip file, specifically a program. The program prompted for that password before it would continue running.

The blog post doesn't say the zip file password. It's not clear to me if the program that cracked the zip file even found the zip file password. It might just be able to find the plaintext but not the password.

reply
qingcharles
29 days ago
[-]
I too was waiting to see what the ZIP password was after all these years. I wonder if there is a way to reverse the decryption key into the password, or is it a sausage machine like password hashing?

How long would it take to brute-force this on a modern PC?

reply
jgrahamc
29 days ago
[-]
I spent a lot of power trying to reverse the actual password and got this far:

    PROGRAM  PATTERN                             MAX LENGTH TESTED
    bkcrack  ?p                                  14
    bkcrack  ?u?d                                16
    bkcrack  ?u                                  17
    bkcrack  ?l                                  15
    bkcrack  ?u?l?l?l?l?l?l?l?l?l?l?l?l?l?l?l    16
    bkcrack  ?u?l?u?l?u?l?u?l?u?l?u?l?u?l?u?l    16 
    hashcat  ?u?l?d                              14
The author kindly modified bkcrack based on Tim's fuzzy recollection of what he thought he might have chosen for the password: https://github.com/kimci86/bkcrack/pull/56 and https://github.com/kimci86/bkcrack/pull/126. However, I ran out of time to work on this part and it seemed more important to get the actual code running.

Also, in the course of things I discovered that Tim used PKZIP inside the BASIC code using a password that used non-printing characters.

reply
qingcharles
28 days ago
[-]
> Also, in the course of things I discovered that Tim used PKZIP inside the BASIC code using a password that used non-printing characters.

Wow, that would make brute-forcing it an order of magnitude slower if you're having to cycle through control characters too. I wouldn't have thought to do this, as I wouldn't risk it not being supported.

reply
rasz
29 days ago
[-]
>Operation Vula ... 8-bit computers, DTMF tones, acoustic couplers

CIA/NSA got a whiff of Operation Vula using off the shelf Philips PX-1000 with build in DES and backdoored the product by bribing Philips https://www.cryptomuseum.com/crypto/philips/px1000/

reply
rurban
29 days ago
[-]
Which Tim Jenkins did overcome by using his own systems and own crypto. No backdoored DES, but ultimately secure one-time pads transported via floppies by the stewardess to each party. If they got hold of such a floppy in SA, it would only compromise the messages of this one receiver. Which would be detected sooner or later.
reply
jll29
28 days ago
[-]
Probably using ANY commercial encryption tech, you're doomed.

But it is naive to generate the key for a one-time pad using a PSEUDO random number generator!

The whole point of the one-time pad is to achieve true security because you can use truly random keys. The kind of key that used here could have been created locally by just exchanging the seed, which would have prevented putting all these stewardesses in danger ;-).

I understand the developer was self-taught (and "learn as you go" on top), so it's understandable, but whoever reads this and has truly important secrets, don't be that silly.

Having said this it is no easy to generate truly random numbers in large quantities. Again, you will need to build yourself your own hardware device, because most likely, all commercially available gear is rigged.

reply
nullc
27 days ago
[-]
> But it is naive to generate the key for a one-time pad using a PSEUDO random number generator!

which is what every stream cipher is, ... and indeed, they do suffer the expected failure modes from key reuse, etc.

Doesn't stop them from being a popular best practice. :)

reply
Thaxll
29 days ago
[-]
If you want to crack "old" ZIP and you know a few characters in the archive there is nothing better than: https://github.com/kimci86/bkcrack
reply
stavros
29 days ago
[-]
The program the entire article is about?
reply
cxr
22 days ago
[-]
There's a program called bkcrack (<https://github.com/kimci86/bkcrack>) that can crack password-protected ZIPs.

An interesting use case is documented in a blog post where someone (the Cloudflare CTO) uses it to recover some otherwise lost source code for a DOS-era program used in South Africa to record encrypted messages to (audio) tape and play them over payphones. <https://blog.jgc.org/2024/09/cracking-old-zip-file-to-help-o...>

reply