# Type: OpenSSL certificates/key files # From: Nicolas Collignon 0 string -----BEGIN\x20CERTIFICATE PEM certificate >22 string !----- {invalid} 0 string -----BEGIN\x20CERTIFICATE\x20REQ PEM certificate request 0 string -----BEGIN\x20RSA\x20PRIVATE PEM RSA private key 0 string -----BEGIN\x20DSA\x20PRIVATE PEM DSA private key 0 string -----BEGIN\x20EC\x20PRIVATE PEM EC private key # Type: OpenSSH key files # From: Nicolas Collignon 0 string SSH\x20PRIVATE\x20KEY OpenSSH RSA1 private key, >28 byte !0 >>28 string x version "%s" >28 byte 0 {invalid} 0 string ssh-dss\x20 OpenSSH DSA public key 0 string ssh-rsa\x20 OpenSSH RSA public key 0 string ecdsa-sha2-nistp256\x20 OpenSSH ECDSA (Curve P-256) public key 0 string ecdsa-sha2-nistp384\x20 OpenSSH ECDSA (Curve P-384) public key 0 string ecdsa-sha2-nistp521\x20 OpenSSH ECDSA (Curve P-521) public key # Type: Certificates/key files in DER format # From: Gert Hulselmans 0 string \x30\x82 Private key in DER format (PKCS#8), >4 string !\x02\x01\x00 {invalid} >2 beshort <0 {invalid} >2 beshort x header length: 4, sequence length: %d >2 beshort+4 x {size:%d} 0 string \x30\x82 Certificate in DER format (x509 v3), >4 string !\x30\x82 {invalid} >2 beshort <0 {invalid} >2 beshort x header length: 4, sequence length: %d >2 beshort+4 x {size:%d} # Type: PKCS#7 signature DER format 0 string \x30\x82 Object signature in DER format (PKCS#7), # OBJECT IDENTIFIER 1.2.840.113549.1.7.2 signedData (PKCS #7) >4 string !\x06\x09\x2a\x86\x48\x86\xF7\x0D\x01\x07\x02 {invalid} >2 beshort <0 {invalid} >2 beshort x header length: 4, sequence length: %d >2 beshort+4 x {size:%d} # GnuPG # The format is very similar to pgp 0 string \001gpg GPG key trust database >4 byte x version %d # Not a very useful signature #0 beshort 0x9901 GPG key public ring # This magic is not particularly good, as the keyrings don't have true # magic. Nevertheless, it covers many keyrings. #------------------------------------------------------------------------------ # Mavroyanopoulos Nikos # mcrypt: file(1) magic for mcrypt 2.2.x; 0 string \0m\3 mcrypt 2.5 encrypted data, >4 byte 0 {invalid} >4 string x algorithm: "%s", >>&1 leshort <1 {invalid} >>&1 leshort >0 keysize: %d bytes, >>>&0 byte 0 {invalid} >>>&0 string >\0 mode: "%s", 0 string \0m\2 mcrypt 2.2 encrypted data, >3 byte 0 algorithm: blowfish-448, >3 byte 1 algorithm: DES, >3 byte 2 algorithm: 3DES, >3 byte 3 algorithm: 3-WAY, >3 byte 4 algorithm: GOST, >3 byte 6 algorithm: SAFER-SK64, >3 byte 7 algorithm: SAFER-SK128, >3 byte 8 algorithm: CAST-128, >3 byte 9 algorithm: xTEA, >3 byte 10 algorithm: TWOFISH-128, >3 byte 11 algorithm: RC2, >3 byte 12 algorithm: TWOFISH-192, >3 byte 13 algorithm: TWOFISH-256, >3 byte 14 algorithm: blowfish-128, >3 byte 15 algorithm: blowfish-192, >3 byte 16 algorithm: blowfish-256, >3 byte 100 algorithm: RC6, >3 byte 101 algorithm: IDEA, >3 byte <0 {invalid} >3 byte >101 {invalid} >3 byte >16 >>3 byte <100 {invalid} >4 byte 0 mode: CBC, >4 byte 1 mode: ECB, >4 byte 2 mode: CFB, >4 byte 3 mode: OFB, >4 byte 4 mode: nOFB, >4 byte <0 {invalid} >4 byte >4 {invalid} >5 byte 0 keymode: 8bit >5 byte 1 keymode: 4bit >5 byte 2 keymode: SHA-1 hash >5 byte 3 keymode: MD5 hash >5 byte <0 {invalid} >5 byte >3 {invalid} #------------------------------------------------------------------------------ # pgp: file(1) magic for Pretty Good Privacy # #0 beshort 0x9900 PGP key public ring #0 beshort 0x9501 PGP key security ring #0 beshort 0x9500 PGP key security ring #0 beshort 0xa600 PGP encrypted data 0 string -----BEGIN\040PGP PGP armored data, >15 string PUBLIC\040KEY\040BLOCK- public key block >15 string MESSAGE- message >15 string SIGNED\040MESSAGE- signed message >15 string PGP\040SIGNATURE- signature 0 string Salted__ OpenSSL encryption, salted, >8 ubelong x salt: 0x%X >12 ubelong x \b%X #------------------------------------------------------------------------------ # LUKS http://tomb.dyne.org/Luks_on_disk_format.pdf # sessyargc 0 string LUKS\xBA\xBE LUKS_MAGIC >6 short 0x0001 version 0x%X >8 string aes %s >8 string twofish %s >8 string serpent %s >8 string cast5 %s >8 string cast6 %s >40 string ecb %s >40 string cbc-plain %s >40 string cbc-essiv %s: >72 string sha1 %s >72 string sha256 %s >72 string sha512 %s >72 string ripemd160 %s #------------------------------------------------------------------------------- # Nagra Stuff 0 string \x00\x00\x01\6c Nagra PK >4 ubelong x Ird: %X >9 byte <0x03 {invalid} >9 byte >0x03 {invalid} >9 byte 0x03 Padding?! #---------------------------NAGRA----------------------------------------------- 0 string \x10\x19\x24\x31 Nagra Constant_KEY 0> ubelong x IDEA_Key: %X 4> ubelong x %X 8> ubelong x %X # The Rijndael S-Box 0 string \x63\x7C\x77\x7B AES S-Box >4 string !\xF2\x6B\x6F\xC5 {invalid} 0 string \x52\x09\x6a\xd5 AES Inverse S-Box >4 string !\x30\x36\xA5\x38 {invalid} # magic signatures to detect PGP crypto material (from stef) # detects and extracts metadata from: # - symmetric encrypted packet header # - RSA (e=65537) secret (sub-)keys # 1024b RSA encrypted data 0 string \x84\x8c\x03 PGP RSA encrypted session key - >3 ubelong x keyid: %X >7 ubelong x %X >11 byte <0x01 {invalid} >11 byte >0x02 {invalid} >11 byte 0x01 RSA (Encrypt or Sign) 1024b >11 byte 0x02 RSA Encrypt-Only 1024b >12 string \x04\x00 >12 string \x03\xff >12 string \x03\xfe >12 string \x03\xfd >12 string \x03\xfc >12 string \x03\xfb >12 string \x03\xfa >12 string \x03\xf9 >142 byte 0xd2 # 2048b RSA encrypted data 0 string \x85\x01\x0c\x03 PGP RSA encrypted session key - >4 ubelong x keyid: %X >8 ubelong x %X >12 byte <0x01 {invalid} >12 byte >0x02 {invalid} >12 byte 0x01 RSA (Encrypt or Sign) 2048b >12 byte 0x02 RSA Encrypt-Only 2048b >13 string \x08\x00 >13 string \x07\xff >13 string \x07\xfe >13 string \x07\xfd >13 string \x07\xfc >13 string \x07\xfb >13 string \x07\xfa >13 string \x07\xf9 >271 byte 0xd2 # 3072b RSA encrypted data 0 string \x85\x01\x8c\x03 PGP RSA encrypted session key - >4 ubelong x keyid: %X >8 ubelong x %X >12 byte <0x01 {invalid} >12 byte >0x02 {invalid} >12 byte 0x01 RSA (Encrypt or Sign) 3072b >12 byte 0x02 RSA Encrypt-Only 3072b >13 string \x0c\x00 >13 string \x0b\xff >13 string \x0b\xfe >13 string \x0b\xfd >13 string \x0b\xfc >13 string \x0b\xfb >13 string \x0b\xfa >13 string \x0b\xf9 >399 byte 0xd2 # 3072b RSA encrypted data 0 string \x85\x02\x0c\x03 PGP RSA encrypted session key - >4 ubelong x keyid: %X >8 ubelong x %X >12 byte <0x01 {invalid} >12 byte >0x02 {invalid} >12 byte 0x01 RSA (Encrypt or Sign) 4096b >12 byte 0x02 RSA Encrypt-Only 4096b >13 string \x10\x00 >13 string \x0f\xff >13 string \x0f\xfe >13 string \x0f\xfd >13 string \x0f\xfc >13 string \x0f\xfb >13 string \x0f\xfa >13 string \x0f\xf9 >527 byte 0xd2 # 4096b RSA encrypted data 0 string \x85\x04\x0c\x03 PGP RSA encrypted session key - >4 ubelong x keyid: %X >8 ubelong x %X >12 byte <0x01 {invalid} >12 byte >0x02 {invalid} >12 byte 0x01 RSA (Encrypt or Sign) 8129b >12 byte 0x02 RSA Encrypt-Only 8129b >13 string \x20\x00 >13 string \x1f\xff >13 string \x1f\xfe >13 string \x1f\xfd >13 string \x1f\xfc >13 string \x1f\xfb >13 string \x1f\xfa >13 string \x1f\xf9 >1039 byte 0xd2 # From bsdphk: These four signatures can be used to spot DES encryption implementations 0 string \x38\x30\x28\x20\x18\x10\x08\x00\x39\x31\x29\x21\x19\x11\x09\x01\x3a\x32\x2a\x22\x1a\x12\x0a\x02\x3b\x33\x2b\x23\x3e\x36\x2e\x26\x1e\x16\x0e\x06\x3d\x35\x2d\x25\x1d\x15\x0d\x05\x3c\x34\x2c\x24\x1c\x14\x0c\x04\x1b\x13\x0b\x03 DES PC1 table 0 string \x0d\x10\x0a\x17\x00\x04\x02\x1b\x0e\x05\x14\x09\x16\x12\x0b\x03\x19\x07\x0f\x06\x1a\x13\x0c\x01\x28\x33\x1e\x24\x2e\x36\x1d\x27\x32\x2c\x20\x2f\x2b\x30\x26\x37\x21\x34\x2d\x29\x31\x23\x1c\x1f DES PC2 table 0 string \x01\x01\x04\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x01\x04\x04\x01\x01\x00\x04\x00\x01\x04\x04\x00\x00\x00\x04\x00\x01\x00\x00 DES SP1, big endian 0 string \x00\x04\x01\x01\x00\x00\x00\x00\x00\x00\x01\x00\x04\x04\x01\x01\x04\x00\x01\x01\x04\x04\x01\x00\x04\x00\x00\x00\x00\x00\x01\x00 DES SP1, little endian{overlap} 0 string \x80\x10\x80\x20\x80\x00\x80\x00\x00\x00\x80\x00\x00\x10\x80\x20\x00\x10\x00\x00\x00\x00\x00\x20\x80\x10\x00\x20\x80\x00\x80\x20 DES SP2, big endian 0 string \x20\x80\x10\x80\x00\x80\x00\x80\x00\x80\x00\x00\x20\x80\x10\x00\x00\x00\x10\x00\x20\x00\x00\x00\x20\x00\x10\x80\x20\x80\x00\x80 DES SP2, little endian