Re: RE: [security] A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt.

[Valdis.Kletnieks () vt edu]

On Sat, 27 May 2006 00:32:21 BST, fractalg () highspeedweb net said:

> 1) Are you saying that the key used to encrypt is fixed (it's not our
> passphrase !?!?!), and your passphrase is just to access the disk, meaning,
> just to control user access to the pgp disk ??? 

No, what he's saying is that if you can subvert the PGP software at a point
after it has both the secret key and the passphrase and has combined them,
you can get access to the files.

But that's been a known attack vector against essentially all crypto for basically
forever.  It's basically the same problem with using SSL to secure a network
connection - if the host itself has been compromised, you can see the data
before it goes into the tunnel.

It's similar to attacks on TCP sequence numbers - Bellovin et al pointed
out the danger, but it wasn't till Mitnick's attacks that it was actually
a practical attack.

All the same, even though it's been a known theoretical attack since PGP
was released, Adonis did a nice piece of work in actually showing it to
be a practical attack.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/