Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: PGP & Truecrypt "A Nasty Security Bug"

from [Markus Jansson] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: PGP & Truecrypt "A Nasty Security Bug"
Date: Sat, 27 May 2006 22:55:20 +0300
From what I understod, this is really not any kind of bug. The issue is simple: If you have encrypted something the way PGP/Truecrypt does (that is, it creates encryption key and encrypts that with encryption key created from your passphrase), you can ofcourse do this.

How? Well, since you can always hold the original encryption key used. It doesnt matter how many times the passphrase is changed, since the original "master" encryption key remains the same. This is the basic issue here.

Lesson: Dont just change passphrases when re-using encrypted containers etc. but RECRYPT the container.

Point: Anything encrypted with PGP/Truecrypt is still secure if you have complex passphrase on it and dont let anyone else know what it is.

--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Re: PGP & Truecrypt "A Nasty Security Bug", Markus Jansson <=
Previous by Date:  RE: [Full-disclosure] RE: [security] A Nasty Security Bug that affectPGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt., Pedro Hugo
Next by Date:  [Full-disclosure] I need some backdoor code source, azrael goblin
Previous by Thread:  [Full-disclosure] cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4, Maksymilian Arciemowicz
Next by Thread:  [Full-disclosure] I need some backdoor code source, azrael goblin
Indexes:  [Date] [Thread] [Top] [All Lists]