lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun May 28 02:41:23 2006
From: seemyhomepage at katsokotisivuilta.ni (Markus Jansson)
Subject: Re: PGP & Truecrypt "A Nasty Security Bug"

 From what I understod, this is really not any kind of bug. The issue is 
simple: If you have encrypted something the way PGP/Truecrypt does (that 
is, it creates encryption key and encrypts that with encryption key 
created from your passphrase), you can ofcourse do this.

How? Well, since you can always hold the original encryption key used. 
It doesnt matter how many times the passphrase is changed, since the 
original "master" encryption key remains the same. This is the basic 
issue here.

Lesson: Dont just change passphrases when re-using encrypted containers 
etc. but RECRYPT the container.

Point: Anything encrypted with PGP/Truecrypt is still secure if you have 
complex passphrase on it and dont let anyone else know what it is.

-- 
???My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ