[108131] in Cypherpunks
FUD attack WAS:AUCRYPTO: New attack on PGP keys with a Word Macro
daemon@ATHENA.MIT.EDU (Jean-Francois Avon)
Fri Feb 5 13:23:46 1999
From: "Jean-Francois Avon" <jf_avon@citenet.net>
To: <aucrypto@suburbia.net>, <cypherpunks@toad.com>
Date: Fri, 5 Feb 1999 12:58:39 -0500
Reply-To: "Jean-Francois Avon" <jf_avon@citenet.net>
This message is quite funny by it's implication.
It implies that PGP RSA secret key passphrases can be cracked. If it bases
it's assumption on the statistical fact that there are a lot of users who
use weak passphrases, then, it might be true. But since it doesn't specify
such, it leaves the PGP user on the impression that secret keys can be
cracked.
What protects the secret RSA key is IDEA encryption (well, on 2.x.x
versions...). If the secret key protection can get cracked, then, one can
say that they could break the one-time IDEA key for each message. From the
cracker's standpoint, the economy of scale comes only if he can intercept
more than one message encrypted from the same RSA secret key, therefore
giving them access to every IDEA session keys.
It looks improbable... I thus conclude that this is a FUD-inducing (Fear
Uncertainty and Doubt) operation to undermine the confidence that people
have in PGP.
Comments?
Ciao
jfa, Canada
-----Original Message-----
From: Fred Cohen <fc@all.net>
To: aucrypto@suburbia.net <aucrypto@suburbia.net>
Date: Friday, February 05, 1999 9:00 AM
Subject: AUCRYPTO: New attack on PGP keys with a Word Macro
>
>I just got a look at a Word file (CALIG.DOC) that contains user IDs and
>passwords to pornographic sites. In addition to these pointers, it has a
>Trojan Horse that finds the user's private PGP key ring and ftp's it to:
>
> 209.201.88.110 (codebreakers.org)
> user anonymous
> password itsme@
> directory incoming
> binary mode
> stored name: NewSecRingFile[0-9][0-9][0-9][0-9]
>
>This Trojan does its job in visual basic and - except for the initial
notice
>(if enabled) that macros are present - gives no indication of this function
>that it performs. I figure the best defense against this is to:
>
>1) Have thousands of users ftp phony files to that IP address
> and filename on a regular basis, thus making it impossible to
> get any real PGP keys - preferably send valid-looking PGP keys
> so they have to waste a lot of time cracking them.
>
>2) Cut off all service for ftp with 209.201.88.110 (codebreakers.org)
> - either at the ISP, at your gateway, or at the borders to your country.
>
>3) Prosecute for possession of access devices - with international
> cooperation between authorities.
>
>4) Tell your people that this has been done so they will stop looking at
> pornography listing files fat chance this will work).
>
>At any rate, I hope that you will take prudent precautions within your
>organization against this potential attack on the security of your private
>keys.
>
>Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171
>Fred Cohen at Sandia National Laboratories at tel:925-294-2087
fax:925-294-1225
> [Much-too-long disclaimer omitted, separating the two roles. PGN]
>
>
