Challenge 39

Welcome to challenge Challenge 39. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Insecure Encryption Key - Part 1

A developer encrypted a secret using AES and stored its base64 encoded value in a file. But where to leave the key? What about just using the filename as the encryption key instead? That way, every secret can have its own key easily! Can you find the secret?

The challenge file is called secrchallenge.md and can be found in the executables folder.

Answer to solution :

Why should we not use the filename as the encryption key?

There have been multiple scenarios where the contents of files were encrypted using the filename itself, which allows attackers to easily decrypt its contents easily. It is often perceived as an easy way to keep the key close to the content, without reusing the same encryption key everywhere.

But as you can tell by now, this is not a good idea. An attacker has the key the moment the file is in his possession.


Previous
Go the main page
Next
0