On 03/03/12 01:25, brian m. carlson wrote:
It is not true that encryption amounts to XORing the message text
against the secret key.
[snip]
Also, CFB mode, what is XORed is the output of a block cipher
encryption of the previous ciphertext.
And the paper exploits exactly this fact by
On Fri, 2 Mar 2012 08:50, d...@fifthhorseman.net said:
I believe that GnuPG had its own implementation of such an integrity
check before the standardization was settled.
Right, since version 1.0.2 (2000-07-12). With version 1.1,91
(2002-08-04) gpg even defaults to MDC packets if one of the
Thanks for replying again. Yes, I read Schneier's paper, which is why I am
confident that even the original attack scenario on a vulnerable implementation
would not apply to the use case I was originally concerned about after seeing
mention of a security glitch, namely encrypted local file
any of the decrypted contents of the original message that were sent by
the original sender.
Ciao,
Carter
- Original Message -
From: Daniel Kahn Gillmor d...@fifthhorseman.net
Sent: Friday, March 2, 2012 8:50 AM
Subject: Re: small security glitches
That said, the attack described
On Fri, 2 Mar 2012, Post Carter wrote:
. . . so I think we just have a terminology discrepancy
here. What is a bit confusing is using the words encrypted
vs. decrypted and ciphertext vs. cleartext when we're talking
about an attacker inserting contents into the message.
I have been reading
On Fri, Mar 02, 2012 at 04:55:23AM -0800, Post Carter wrote:
3) Next, the recipient decrypts the message. Since at its lowest level
the encryption amounts to XOR'ing the message text against the secret
key, it essentially results in the flipping of each class of text. C
becomes P and P
If Tom McCune simplified explanation isn't detailed enough, check out Bruce
Schneier's original paper describing the attack:
http://www.schneier.com/paper-pgp.html
The idea is that the decrypted gibberish is the encrypted form of
the plaintext the attacker inserted. If the naive user re-sends
On 03/01/2012 07:44 PM, Post Carter wrote:
If Tom McCune simplified explanation isn't detailed enough, check out Bruce
Schneier's original paper describing the attack:
http://www.schneier.com/paper-pgp.html
The idea is that the decrypted gibberish is the encrypted form of the
plaintext the
On 02/29/2012 10:33 AM, Post Carter wrote:
An individual intercepts an encrypted email. He places a plaintext addition
within the package, in such a manner that when the originally intended
recipient decrypts the message, the symmetric session key also decrypts the
addition
But since
Hello. I was reading this page,
http://www.gnupg.org/faq/GnuPG-FAQ.html#cant-we-have-a-gpg-library , and I
found this comment near the end of it in the section entitled How does this
whole thing work?: There is a small security glitch in the OpenPGP (and
therefore GnuPG) system; to avoid this
Am Dienstag, 1. November 2011, 13:35:11 schrieb Aaron Toponce:
Now switch sides. Suppose you're sending an encrypted mail to a collegue.
You're encrypting it for his eyes only. If you don't sign the message, he
may or may not choose to decrypt it. If you sign the encrypted mail, then
he can
On 01/11/11 13:35, Aaron Toponce wrote:
The glitch is that for security AND trust, messages must be both
encrypted and signed.
In that case, I find it to be phrased very awkwardly.
Encryption provides encryption: people can't see what is in it. Period.
Signing provides a form of integrity:
On 01/11/11 12:44, Hauke Laging wrote:
Now switch sides. Suppose you're sending an encrypted mail to a collegue.
You're encrypting it for his eyes only. If you don't sign the message, he
may or may not choose to decrypt it. If you sign the encrypted mail, then
he can verify the signature, see
On 11/01/2011 05:52, gn...@lists.grepular.com wrote:
Thunderbird + Enigmail here automatically decrypts encrypted email when
you view it, regardless of whether or not it is signed.
That's a local preference, which you can easily disable.
--
Nothin' ever doesn't change, but nothin'
14 matches
Mail list logo