hints, spoilers
@Pat: >That's right, it's hex. And you see by looking at those hexadecimal values right at the beginning it says, "Salted". That gives a lot of information. You know that it uses a key, so it's not just substitution. It uses an encryption algorithm, and that the key was derived from a password+salt, which means you can't use a rainbow table because salt was added to the password. But I said it was simple. (Note: In the wild, the relationship between the person protecting the data and the person trying to crack the encryption is adversarial and the former would avoid providing information to the latter, or might provide misleading info, but in this case I'm not misleading you. Trust me. 
) So what makes this one so easy?
@sturgman:
>" the word Salted is withouta key, right? It is just direct translation to ASCII. I didn't try the rest of it."
- - -
The salt is needed by the decryption process in order to make the key when the user supplies the password, so the salt needs to be in the clear. Or else the user would need to supply the salt and the password. Is that simple? I don’t know if it is easier to let the hash algorithm generate a random salt and store it at the beginning or for the user to supply a salt with the password when they encrypt and decrypt. I think the former is easier, so if it’s simple, then yes the salt in there in the clear.
hints, spoilers
Another hint…
When I say that it’s simple, I’m not referring to SDES (Simplified Data Encryption Standard). That’s too simple, it uses a 10-bit key and I don’t think it even uses a hash of a password – I don’t believe it can even use a password. It is simple because it’s used for teaching purposes. The cipher I used for the poem is one which has been used in the wild for real encryption purposes.
(That’s a big hint.)
even more hints...
======== SPOILERS =========
I said that the cipher that I used was a common one used in real life. Let me also reveal that it has been used for quite some time now. A cryptanalyst may be able to solve this example by using a brute-force attack on the key with special tools, but that would take some time and I wouldn’t consider that “simple”.
Is the password something that can be easily guessed?
This is how most common breaches occur. Cryptanalysis on ciphertext itself doesn’t happen much except in theory or in well-funded efforts such as governments, or when there is a known weakness or backdoor is in play. (Note: Before I said that knowing that the hash algorithm was sha256 might not be useful, but if you're cracking the password, you'll need to know that.)
How long is the ciphertext?
This can give another clue as to the exact encryption algorithm used. (Remember to subtract out the salt header to determine the actual length.)
last clue: hide it in plain sight
I really can’t add anymore hints without just revealing the whole thing, so let me just repeat some of what I’ve already said… (in order)
“#simple”
“Come on, it’s simple…”
“...the password. But I said it was simple….”
“...the password. Is that simple?”
“I say that it’s simple...”
“...password. It is simple...”
“(That’s a big hint.)”
“...password, (because it’s simple...”
“...’simple’. Is the password...”
“...something that can be easily guessed?”
last clue: hide it in plain sight
@Pat Yes, okay.. I actually kinda lost interest a while ago because this isn't my area of expertise and I lost track and had other things to do. :P
So even if I know the password, I really wouldn't know where to begin to put it in... if there's anything to put in. I don't even know the software for this. :P
The only things I knew are: The code looks hexadecimal, and it's probably salted. That is all. I wouldn't even know how an expert starts to be able to figure out more details...
In other words, this is waaaaaay over my head. I probably would need a step by step thing or a tutorial to even get started.
the answer…
If there are any cryptographers lurking on this thread, they know that this is not my area of expertise, either. I really don’t know much about it. That’s one of the reasons why I did this, as a fun way to learn a little bit about it.
If you want to decrypt the poem, just copy the cipher text into a file named “poem.enc” and, from a command line type:
xxd -r -p poem.enc | openssl des -d -k simple
I think most of the major distros use openssl as default. If not, it should work with whatever tool you got. (You may need to specify CBC as the block-chain mode if it’s not already the default, and sha256 as the hash algorithm).
One thing I’m not sure of though is how the initialization vector is generated, if that’s a standard algorithm in all tools or not. But even if the IV is different it will still decrypt everything except the first block (which is part of the the title of the poem), and I already gave out the poem title anyway.
(If anyone sucessfully decrypts it, feel free to post it here under a CW.)
(CW=content warning)
more clarifications, hints
@trinsec @sturgman
======== SPOILERS =========
“Salted” is not the title of the poem, it’s just an indicator for the salt. The title of the poem is “Pat Wrote a Poem”, which is shown in plaintext in the original toot, as well as being encrypted as part of the ciphertext. “Salted” is placed in there by the encryption utility as a header and just indicates the salt at the beginning which, as can be seen with a hexdump, is 07e3420c7230b00b. (That bit of info may be useful, but not in an obvious way.)
I want to clarify that the hashing of the password is a separate process from the encryption algorithm, but common utilities do this automatically by default or as instructed. I know of no known implementations of SDES that can also hash a password, (because it’s simple to just create a 10-bit key directly). The tool I used to encrypt this example created a random salt, hashed the supplied password, and derived the key and initial vector before encrypting. The hash digest algorithm used was sha256. (I don’t think that last bit of info will be useful to you.)
Also, SDES uses a 10-bit key, which means there are only 1024 possible keys and a brute-force attack could find the key very quickly, this why I said that SDES was too simple, and why I didn’t use that cipher.