[109054] in Cypherpunks
Re: Is PGP crackable
daemon@ATHENA.MIT.EDU (Bill Stewart)
Tue Mar 9 18:48:10 1999
Date: Tue, 09 Mar 1999 00:17:06 -0800
To: Steve Mynott <steve@tightrope.demon.co.uk>,
lutz@taranis.iks-jena.de (Lutz Donnerhacke)
From: Bill Stewart <bill.stewart@pobox.com>
Cc: cypherpunks@algebra.com
In-Reply-To: <19990308150136.A12874@tightrope.demon.co.uk>
Reply-To: Bill Stewart <bill.stewart@pobox.com>
At 03:01 PM 3/8/99 +0000, Steve Mynott wrote:
>how many of us keep our secret keys on our (insecure) unix servers?
>
>and type the pass phrases in clear text online over telnet?
>
>how easy is it to backdoor the PGP binary to capture passphrases?
Why backdoor the _PGP_ binary when many of us are running MSWindows?
Just steal the keystrokes. There's been an Ethan MSWord macro virus
running rampant the last month or two, and I've heard of one
macro virus that tries to steal PGP secret key files.
There are two vulnerabilities with PGP's secret key file.
One is that user names are visible, so if you're worried
that someone who steals your secret key file can tell
if you're using the alias Commandante Zero, you do have to worry.
The other is that your passphrases can be arbitrarily selected,
and if you select weak ones, it's possible to run a program like
PGPcrack and brute force them.
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
