[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Running PGP on Netcom (and Similar)

On Mon, 12 Sep 1994, Adam Shostack wrote:

> >	To do this properly, you would want one shot passphrases,
> >similar to S/Key.  The implementation I see would have PGP hash your
> >pass phrase some large number of times (say 1000, which takes less
> >than a second on my 68030 mac) before using it to decrypt your pass
> >phrase.
> >
> >	Then, when logged in from a line being sniffed, you would
> >invoke PGP -1es ..., and when prompted for your pass phrase you would
> >enter 800/something-ugly-that-md5-makes.  PGP would then md5 this 200
> >times, and you'd have demonstrated your knowledge of your passphrase
> >without ever sending it over a line.  Clearly, PGP would need to store
> >the fact that you had used #800, and only accept lower numbers.

I can see how this gets around the problem of sending cleartext 
passphrases over a network, but how does it help stop the problem of the 
remote system running a keystroke log that is handed over to the 
authorities during a bust?  Armed with 800/some-number they can just type 
the same thing into PGP (or a modified copy) and decrypt the files that 
you were keeping on-line.


- Andy

| Andrew Brown  Internet <[email protected]>  Telephone +44 115 952 0585    |
| PGP 2.6ui fingerprint: EC 80 9C 96 54 63 CC 97  FF 7D C5 69 0B 55 23 63 |