Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] RE: [security] A Nasty Security Bug that affect PG

from [Valdis . Kletnieks] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] RE: [security] A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt.
Date: Fri, 26 May 2006 22:35:41 -0400 
On Sat, 27 May 2006 00:32:21 BST, fractalg@highspeedweb.net said:


1) Are you saying that the key used to encrypt is fixed (it's not our
passphrase !?!?!), and your passphrase is just to access the disk, meaning,
just to control user access to the pgp disk ??? 


No, what he's saying is that if you can subvert the PGP software at a point
after it has both the secret key and the passphrase and has combined them,
you can get access to the files.

But that's been a known attack vector against essentially all crypto for 
basically
forever.  It's basically the same problem with using SSL to secure a network
connection - if the host itself has been compromised, you can see the data
before it goes into the tunnel.

It's similar to attacks on TCP sequence numbers - Bellovin et al pointed
out the danger, but it wasn't till Mitnick's attacks that it was actually
a practical attack.

All the same, even though it's been a known theoretical attack since PGP
was released, Adonis did a nice piece of work in actually showing it to
be a practical attack.

Attachment: pgpQAzK14nhQo.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] ZH2006-20 SA: CosmicShoppingCart Multiple Vulnerabilities, Vympel
Next by Date:  [Full-disclosure] [SECURITY] [DSA 1078-1] New tiff packages fix denial of service, Martin Schulze
Previous by Thread:  [Full-disclosure] RE: [security] A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt., fractalg
Next by Thread:  RE: [Full-disclosure] RE: [security] A Nasty Security Bug that affectPGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt., Pedro Hugo
Indexes:  [Date] [Thread] [Top] [All Lists]