Contest Registration
Registration is now open!To register for the contest and be eligible to win, several things must happen. They do not need to happen all at the same time. You can pre-register and receive the hashes as soon as the contest starts, or register during the conference, after the contest has started.
- Import our PGP keys - All messages to
us should be encrypted to our key(s).
- Submit your PGP key to us - We will
only accept PGP-signed emails from keys that have been registered with us.
- Reply to a confirmation challenge -
Verifying your email address and PGP key.
- Tell us your team name - Optional, as your
primary identifier is your PGP KeyID.
- Tell us if you are a Pro team
Import our PGP keys
There are two PGP keys you need to import:
- The key for sub-2023@contest.korelogic.com, the submission autoresponder, available here. That's the email address and PGP key you'll use for all the steps below.
- The key for defcon-2023-contest@korelogic.com, the group alias for the humans running the contest, available here. You really only need this if something goes wrong, and you need to contact us (or we contact you; our correspondence will always be signed with that or our individual @korelogic.com keys).
You can use an existing PGP key or create a new one - however, the key you use must have only one UID (email address), so don't use an existing key if you have multiple UIDs attached to it. We recommend you use a new key dedicated to the contest, so that you can share the private key among team members or automate submissions without decaying the security of an existing, important PGP key, but that is up to you.
You must send us the public key in an email that is encrypted to us and signed by that key. You do not have to send all mails to us From: the email address in the key, but you must be able to receive emails sent to that address. I.e. if alice@example.org and bob@example.org create a PGP key for foo@gmail.com, it does not matter if all their mails to us come from either alice@ or bob@ or wherever, as long as the mails are signed by the foo@gmail.com key and they will receive and be able to decrypt replies we send to foo@gmail.com.
You may use ASCII-armored, inline PGP messages or MIME messages with PGP'ed attachments (either sign+encrypt the whole message, or add a signed & encrypted attachment to a plaintext message).
A suitable way to compose your key-registration email after you've made your key using GnuPG would look like this, assuming your new PGP key has KeyID 0xDEADC0D3:
$ gpg -a -o my-key.pub.asc --export DEADC0D3
And then either email the resulting keysub-email.asc as an inline-PGP
message:
$ gpg -a -o keysub-email.asc -r sub-2023@contest.korelogic.com \
-se my-key.pub.asc
$ mail -s "PGP key" sub-2023@contest.korelogic.com < keysub-email.asc
Or, attach the encrypted-and-signed file keysub-email.asc (not
the file my-key.pub.asc) to a regular email to
sub-2023@contest.korelogic.com, such as if you are using GMail's
web client.
The Subject: is not really important, nor is the From: - we only trust what is inside the encrypted+signed message.
Don't forget to add --local-user DEADC0D3 if you have more than one secret key, such as if you already had a key but created an additional one just for use during this contest.
Note: the submission processor does not support detached
signatures, separate from the encrypt stage. So for instance if
your mail client creates your message so that it looks like:
mime(encrypt(mime(payload.txt, signature.asc)))
Then that will not work. In particular we have seen in past
years' contests that the Apple Mail client likes to create messages
that way. They will be silently dropped by the submission handler as
non-compliant. We might or might not have time to notice and contact
you directly about it. Try pre-generating the encrypted+signed file
using the above example steps, and then attach it ("keysub-email.asc")
to a non-PGP'ed email.
Confirmation Challenge
When we have learned your PGP key, we will send an encrypted challenge
to the email address in the PGP key. This is to make sure we are able to
reach you at that address and using that key, and that you can decrypt
messages encrypted to it. Once you decrypt that, it will have instructions
on what to send back to us PGP signed+encrypted to confirm your address,
which you would do something like:
$ gpg -a -o response-email.asc -r sub-2023@contest.korelogic.com -se
...Or attach response-email.asc to a Gmail message, etc.
[cut-and-paste the challenge line, including the Chal: prefix]
^D
$ mail -s "Challenge Response" sub-2023@contest.korelogic.com < \
response-email.asc
When we receive and verify that response from you, you will get
another email acknowledging it. Your email address will be on the
list to receive information from us and to submit cracked passwords
to us, and your team will appear on the Teams page.
Your primary identifier, as far as we are concerned, is your PGP KeyID. Team names are sugar for the stats pages, etc.
Team names must be from 4 to 40 characters long, and consist of only letters, numbers, spaces, hyphens, underscores, and dots, and start and end with a letter or number. In other words, they must match:
^[A-Za-z0-9][-._A-Za-z0-9 ]{2,38}[A-Za-z0-9]$
We reserve the right to reject or mangle your submitted name.
Register your team name with us by sending a signed, encrypted email as described above, containing the line:
Team: team_name
...in the encrypted body. You can include this when you are first
sending us your key; just include the Team: line as the first line of
the payload, followed by the PGP public key block, that you encrypt+sign
into keysub-email.asc in the example above. Or, you can set it afterwards
as a separate step.
We will notify you (after you've confirmed your email address; see above) if we reject your team name for some reason (duplicate, contained nothing but profanity, etc). In the meantime your team will be identified by its PGP KeyID.
The autoresponder will reject a team-name from a team that has already assigned a name, so if you want to change an existing name, send a PGP-signed email to our human contact address, defcon-2023-contest@korelogic.com.
Once you have received the confirmation email that your team's public key has been registered (after you have sent in your Challenge response), if you want to compete in the "Pro" category, please send a PGP-signed email to our human contact address, defcon-2023-contest@korelogic.com, telling us so.
tl;dr
You can combine registration steps something like this:
$ echo "Team: awesome" > reg-email
(Again, remember --local-user DEADC0D3 if this isn't your only key.)
$ gpg -a --export DEADC0D3 >> reg-email
$ gpg -a -o keysub-email.asc -r sub-2023@contest.korelogic.com \
-se reg-email
$ mail -s "Registration" sub-2023@contest.korelogic.com \
< keysub-email.asc
After this you will still need to wait for the confirmation challenge, decrypt and respond to it. And then, if you are a Pro team, tell us so.
Now you are ready to submit cracks; see How to Submit Cracks.