On Sat, 27 May 2006 00:32:21 BST, fractalg@xxxxxxxxxxxxxxxx said: > 1) Are you saying that the key used to encrypt is fixed (it's not our > passphrase !?!?!), and your passphrase is just to access the disk, meaning, > just to control user access to the pgp disk ??? No, what he's saying is that if you can subvert the PGP software at a point after it has both the secret key and the passphrase and has combined them, you can get access to the files. But that's been a known attack vector against essentially all crypto for basically forever. It's basically the same problem with using SSL to secure a network connection - if the host itself has been compromised, you can see the data before it goes into the tunnel. It's similar to attacks on TCP sequence numbers - Bellovin et al pointed out the danger, but it wasn't till Mitnick's attacks that it was actually a practical attack. All the same, even though it's been a known theoretical attack since PGP was released, Adonis did a nice piece of work in actually showing it to be a practical attack.
Attachment:
pgphLPaj7CKUu.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/