[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: QUERY: S/Keyish PGP?



-----BEGIN PGP SIGNED MESSAGE-----

- -----BEGIN PGP SIGNED MESSAGE-----


I'm catching up on old mail...


In response to my query, 
Adam Shostack <[email protected]> wrote:
>
>| A quick question: Has anybody considered the possibility of hacking
>| something into PGP's password protection to allow an S/Key like access?
>
>	I thought of this, bounced it off a few people, none of whom
>caught the flaw.  When I got around to implementing it, I realized
>that for it to work, your key would have to be securely stored on your
>unix box without encryption.

I caught that.  What I was hoping for was something that would allow
a key to be use for a specific purpose once and only once by a given
passphrase.  Ideally, this could be done on a machine that was totally
insecure.

I didn't catch the fundamental flaw, though.  If the machine is
compromised the key can always be compromised by taking an image of the
previous state and replaying whatever passphrase was intercepted.

Bummer.
- - --
Todd Masco     | "life without caution/ the only worth living / love for a man/
[email protected] |  love for a woman/ love for the facts/ protectless" - A Rich
<a href="http://www.hks.net/~cactus/cactus.html">Cactus' Homepage</a>

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBLxLUPBNhgovrPB7dAQEn8gP8DrC3h9Dv21JGgg4Vsz/76gnUfnTJBPD+
PPyZ2gi2dzzQOVkYsxZBHQs7kRq6ZSANNbCfM5wY1GbBagZvv2gAPMx9bESudH+l
wtoFcZGH5Az85O+k6FhN/QsOjJq/PaHUbNMui1Q+QKrMqU4I/UGCJCxAVRP8/wfS
8rLKzm7TxTU=
=LxUH
- -----END PGP SIGNATURE-----
- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBLxMPACoZzwIn1bdtAQH7DAF9EMimhI0J9JUN9bqaHhsz2opQXZSIQC+g
D32kU3ELjC58Y4Ig3e9fLLrPoGtTub85
=Uq/c
-----END PGP SIGNATURE-----