[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Impact of Netscape kernel hole (fwd)
>Joe "slightly crypto-savvy pgp user" sixpack keeps his pgp keyring in
>c:\pgp on a dos/w95 box. The average user of any of the unices keeps his
>keyring in /usr/pgp or /usr/local/pgp it does not take a lot of attempts
>to go through most of the common places.
>
>The very same guy probably has a password that is:
> [Dictionary attack on wimpy passphrases ]
With PGP 2.0 ... 4.0 secret keyring files, there's another attack.
(I don't know if PGP 5.0 files have this problem or not.)
You can't get the secret key itself from the password file without cracking
the IDEA password (or algorithm), but the user-name is in cleartext.
Joe Sixpack <[email protected]> 0x98458509834295834098589...
Joe Sixpack <[email protected]> 0x34543905843f90853490545...
Jane Doe #2 <[email protected]> 0x2d0e2d0e231415926535487...
Lone Ranger <[email protected]> 0x23dead5beef890832455345...
TruthMunger <[email protected]> 0x27182818284590459024090...
Arms Buyer <[email protected]> 0x08908024308732049872390...
If you've got pseudonyms as well as your real name, they show;
you've got all the usual risks of traffic analysis, outing, etc.
and your secret identity is toast. For most people, it's not a big risk,
but if you really _do_ need to keep your pseudonym untraceable,
this lets it leak out of your encrypted hard disk, which would be Bad.
Publius