Decrypting a PGP Message inside .asc file

Question

I recently had my Facebook account hacked/stolen. I went through Facebook's "identify" process, and was sent an email with the subject: "Encrypted Notification from Facebook [<series of letters/numbers>]"

Within the email are two files that open with the text.app on my Mac. The first called "Mail Attachment" has nothing much in it other than a title and version. The second called "encrypted.asc" opens and has ----BEGIN PGP MESSAGE---- at the top of it, then the message, then ----END PGP MESSAGE---- at the bottom. The message is lots of gobbledy gook that I don't know how to read. There are no instructions that I can find from Facebook.

In searching, I'm wondering if perhaps the series of letters/numbers in the subject line are a "key" to decrypt the PGP message, but I cannot find where to do this. I'm not super tech-savvy, so I need specific directions on what to do here. Can anyone help?

Answer 1

1. Visible Encrypted Data:

The second called "encrypted.asc" opens and has ----BEGIN PGP MESSAGE---- at the top of it, then the message, then ----END PGP MESSAGE---- at the bottom.

This is part of the mime-specific declaration for a pgp encrypted message:

Content-Type: multipart/encrypted;
 protocol="application/pgp-encrypted";
 boundary="ys...kdW7"
...
This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
--randomID
Content-Type: application/pgp-encrypted
Content-Description: PGP/MIME version identification
Version: 1
--randomID
Content-Type: application/octet-stream; name="encrypted.asc"
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename="encrypted.asc"
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2
hRAMA/v7GLI2ARvTBT/9Fn3HM1pmvEpGlDZbjxAREE6Ubi00sajWq5YDu+NXwuRu
inwslI+l2h3WhEaIYVG+SjZvFcAkVsL6fBgLak805OwDL9LbSFMYovl14Pi4GvyG
...
-----END PGP MESSAGE-----

If your system is capable to handle PGP-encrypted mails (mail program can do it by itself or the mime handler is configured correct and the mail program can forward the content to the appropriate program) AND the 'private key' is present, then the message should be displayed decrypted.

As there is no error message and the raw encrypted data is presented, some part of the message might be defect or the mail program cannot handle the mime header:

Have you changed your e-mail program? — Possible occasion might be:

• Changed the mail program by changing the device or the program (i.e. from your PC/MAC/iPad to you smartphone or to a WebMailer interface, etc.)
• Reinstallation of the software
• Reset of the configuration

If the encryption key is from you, you've to expect the key on the device you used before the hack. The required 'private key' for the decryption will not magically duplicate to the new mail program but the change will break the transparent decryption process.

Especially at devices from Apple I expect a hardly noticeable handling of encryption, so some users will not be aware about its presence.

Not knowing about the presence of encryption makes it very probable to break the working system, resulting in effects you describe.

2. E-Mail Subject

I'm wondering if perhaps the series of letters/numbers in the subject line are a "key" to decrypt the PGP message

A subject it is required to be encoded by base64, if it contains letters that do not conform the 7 bit ASCII encoding (i.e. Cyrillic letters).

It would be of interest to get the subject line pasted in your question, so this could be verified and decoded. Example (on a linux system):

Subject: =?UTF-8?B?4q2Q4q2Q4q2Q4q2Q4q2QIDExOTcgUmV2aWV3cw==?=

The relevant part is between the last two ?:

4q2Q4q2Q4q2Q4q2Q4q2QIDExOTcgUmV2aWV3cw==

base64 -d <<<4q2Q4q2Q4q2Q4q2Q4q2QIDExOTcgUmV2aWV3cw==
⭐⭐⭐⭐⭐ 1197 Reviews

(sorry for the spam header, it just came handy ...)

As your e-mail seems to be sent by Facebook itself it is not to be expected that they do a crude hack to hide an encryption key aside to the encrypted message.

3. Facebook and PGP-Encryption

About this point I can't tell you much as Facebook is not my 'favorite' one.

But Facebook has an option to enable the e-mail communication in encrypted manner: PGP @facebook To understand what PGP is and how to handle it with Facebook, this page gives you an idea: Configuring PGP Encrypted Facebook Notification

As an essence, Facebook can handle PGP-encryption for e-mails to enhance security, as sometimes sensitive information about shopping and financials may occur and e-mail without encryption is not safe (everybody on it's path to you can read it and machines read everything in contrast to the postman...).

4. Some more information about PGP and the Message

The PGP encryption system is no crude, proprietary thing, but is well defined by RFC4880. So there exist several independent solutions to handle such keys an messages.

A having the basic command-line tools at the finger tips is always useful: GnuPG is a very good point to start. After installation the command gpg is the command:

Save your encrypted message as a text-file:

-----BEGIN PGP MESSAGE-----
<garbage>
-----END PGP MESSAGE-----

Issue the command

gpg --verify message-file

If the private key is not available in GnuPG's keyring, this will not decrypt the message. But depending on details, this might reveal some administrative information about the used key.

The same or even more you might get, when importing the key, you've saved from your facebook profile to textfile.

First import the key to the keyring:

gpg --import keyfile.asc

Then show some details:

gpg --list-keys
gpg --list-sigs

Perhaps you find some details (name, e-mail address?) that helps.

Comparing the information extracted from the message and the key in your profile might also be of interest:
It should be used the same key as the mail claims to come from Facebook (but there is no warranty of authenticity as the hacker's could have copied the 'public key' and now use it to trick you.).

5. If this is not your encryption key

You've the problem that your fb-account had been stolen and now (without you interaction) the mails come encrypted.

If the above described disruption of the decryption chain is not the problem, it is quite plausible, the encryption has been activated by the hackers and you do not have the private key to decrypt the messages (see below). So they can read the messages (if they get them) and not you!

1. Think about the option to involve the police. They need your help to get the guys. — To keep this option effective, you should store everything before you change it. — To hand over these information is a step you can decide later on.
2. Search for a second e-mail address (or something similar) in your facebook account, where fb mails might be sent to as a copy.
   There is a good possibility, that the hackers managed to receive a duplicates of your e-mails to grab sensitive information and possibly intervene at the right point by encrypted e-mail locking you out from your account and doing some financial or shopping transfers.
   => Archive the findings and remove them from your account.

A foreign key should be exchanged by your own key:

Before enabling your own key you should enable your e-mail program to handle PGP-encrypted mails and also import the 'public key' of Facebook, so you also can send encrypted mails to them. (This should be a separate question here at superuser.com)

1. Generate your own keys
2. Copy the currently used 'public key' in your fb-account for forensics in a text-file (inlcuding the marks -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- (important, if you want to involve the police and if you want to know more about the key)
3. Delete the current 'public key' at facebook
4. Enter your own, newly created 'public key' at facebook so they encrypt the mails sent to you (that's a good thing).