[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Introducing TGP...

To: "noloader@xxxxxxxxx" <noloader@xxxxxxxxx>
Subject: Re: [Full-disclosure] Introducing TGP...
From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
Date: Tue, 15 Jun 2010 15:26:41 +0000

>> The SHA256 hashing of the private key may not result in authenticity
>> assurances on the key (if I'm reading it correctly). I believe that's
>> an Athenticate-then-Encrypt scheme, and the details of the
>> interactions in AtE can be tricky.
>
>I had an opportunity to sleep on this, so here's my two cents. If I read the 
>docs
>correctly, this construction is:
>
>ENC( HASH(m) || m )

No, that's not what I'm doing.  As I said in my message yesterday, I'm simply 
using the hash of the encrypted private key and the hash of the public key to 
see if the keys were tampered with while at rest.  
When loading the private key fob, a passphrase is required.  Before I prompt 
for the passphrase, I rehash the encrypted private key as stored, and compare 
that to the stored hash of the same.  If they are different, I flag an error.

I'll dive into your references though and see if any of it applies.  Thanks.

t


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Introducing TGP...
  - From: Jeffrey Walton
- Re: [Full-disclosure] Introducing TGP...
  - From: Jeffrey Walton

Prev by Date: [Full-disclosure] Patriotic botnet with Orange's HADOPI software
Next by Date: [Full-disclosure] [SECURITY] [DSA 2054-2] New bind9 packages fix cache poisoning
Previous by thread: Re: [Full-disclosure] Introducing TGP...
Next by thread: Re: [Full-disclosure] Introducing TGP...
Index(es):
- Date
- Thread