Detect PGP encrypted files

Tom Ritter tom at ritter.vg
Fri Dec 31 04:24:38 CET 2010


That RFC is your best bet - but you're incorrect about the 3rd, 4th, and
5th bytes.  They are PGP only in *some* cases.  Specifically, they are
the Marker Packet - and they are ignored by implementations.  If you
want a surefire way to detect PGP files, your best bet may be to write a
rudimentary OpenPGP parser - looking at the packet headers and sizes,
and seeing if a file conforms.  Otherwise, you might get a lot of false
positives, as the OpenPGP specification is more based around rules such
as "If bits 1 and 2 are set then it means..." as opposed to fixed
byte-markers.

As far as other methods - openssl has a method to encrypt files (it was
used on the wikileaks insurance file).  I can't immediately think of any
other largely-deployed standards of encryption besides that and OpenPGP
- not counting things like encrypted zip files or word documents.

If your aim is to detect encryption, besides looking for file headers
and structures, you can also look for the absence of any structure, and
then check the file's compression rate.  There are papers written about
that approach.

-tom

On 12/30/2010 7:51 AM, Filip wrote:
> Hi,
> 
> How can I detect PGP encrypted files? I have noticed that the third,
> forth and fifth bytes are always 'PGP' .. but I prefer to have a better
> signature .. 3 bytes are not enough and may cause false positives ... so
> can you please tell me how to better detect PGP encrypted files and is
> there a specification document for the PGP format other than the one here:
> http://tools.ietf.org/html/rfc4880
> 
> 
> Is there any other data encryption methods like PGP which are famously
> used to encrypt files?
> 
> 
> Thanks
> 
> 
> 
> 
> _______________________________________________
> Gcrypt-devel mailing list
> Gcrypt-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gcrypt-devel



More information about the Gcrypt-devel mailing list