| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200605270235.k4R2Zfqc006536@turing-police.cc.vt.edu> Date: Sat May 27 03:35:54 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: RE: [security] A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt. On Sat, 27 May 2006 00:32:21 BST, fractalg@...hspeedweb.net said: > 1) Are you saying that the key used to encrypt is fixed (it's not our > passphrase !?!?!), and your passphrase is just to access the disk, meaning, > just to control user access to the pgp disk ??? No, what he's saying is that if you can subvert the PGP software at a point after it has both the secret key and the passphrase and has combined them, you can get access to the files. But that's been a known attack vector against essentially all crypto for basically forever. It's basically the same problem with using SSL to secure a network connection - if the host itself has been compromised, you can see the data before it goes into the tunnel. It's similar to attacks on TCP sequence numbers - Bellovin et al pointed out the danger, but it wasn't till Mitnick's attacks that it was actually a practical attack. All the same, even though it's been a known theoretical attack since PGP was released, Adonis did a nice piece of work in actually showing it to be a practical attack. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060526/e40e0ac1/attachment.bin
Powered by blists - more mailing lists