Re: [PEN-TEST] Password Protection

["Jensen, Greg" <Greg_Jensen () NAI COM>]

Please keep in mind that PGP also includes SDA's (Self Decrypting Archives).
This would allow you to provide a solution that encrypts and compresses the
data and can then be placed on CD.  When your customer wants to view the
data, they only need to know the shared passphrase. No client software is
required.

Now, the downfall of this is that you are only as strong as your weakest
link and the two weak links here is if you give your customer the passphrase
over an insecure medium (ie..e-mail, phone) or if the password you assign is
an easy to guess "word" instead of a long and complicated phrase.

It would be preferable to use private/public keys to do all of this, but
this would indeed require the end user to have a copy of PGP.  This is why
we developed SDA's.

Good luck!

-----Original Message-----
From: Patrick Feisthammel [mailto:citrin () citrin ch]
Sent: Sunday, October 08, 2000 12:16 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Password Protection


Hi!

> I would like to have the client be able to browse direct off the CD.

> However I would like to some how password protect the CD so no one can
> browse any of the information on the disk with out the password.

I suggest generating a virtual PGP Disk. This is one big file on the CD
and can be passwort protected. Mountig this virtual disk creates a new
drive letter. Using this drive you can access all documents as if they
were unencrypted.
Downside: The client needs the PGP Disk Software installed on his
computer. The software is avaible for Windows and Mac.

I'm sure there are also other virtual disks products avaible, perhaps even
for free. (PGP costs for comercial use)

Cheers,
Patrick

--
Citrin, Feisthammel und Partner,                  Phone: +41 1 994 4038
Steigstrasse 55, CH-8610 Uster, Switzerland       Fax: +41 1 994 4036
http://www.citrin.ch/                             email: citrin () citrin ch