Re: PGP & Truecrypt "A Nasty Security Bug"

[Markus Jansson <seemyhomepage () katsokotisivuilta ni>]

From what I understod, this is really not any kind of bug. The issue is 
simple: If you have encrypted something the way PGP/Truecrypt does (that 
is, it creates encryption key and encrypts that with encryption key 
created from your passphrase), you can ofcourse do this.

How? Well, since you can always hold the original encryption key used. 
It doesnt matter how many times the passphrase is changed, since the 
original "master" encryption key remains the same. This is the basic 
issue here.

Lesson: Dont just change passphrases when re-using encrypted containers 
etc. but RECRYPT the container.

Point: Anything encrypted with PGP/Truecrypt is still secure if you have 
complex passphrase on it and dont let anyone else know what it is.

--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/