[39346] in cryptography@c2.net mail archive
Re: A security bug in PGP products?
daemon@ATHENA.MIT.EDU (Travis H.)
Wed Aug 30 10:32:59 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 28 Aug 2006 21:36:11 -0500
From: "Travis H." <solinym@gmail.com>
To: "Dave Korn" <dave.korn@artimi.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <026701c6c6db$30899be0$a501a8c0@CAM.ARTIMI.COM>
On 8/23/06, Dave Korn <dave.korn@artimi.com> wrote:
> Given that, whatever passphrase you use, you will decrypt the EDK block and
> get /something/ that looks like a key, this comparison of hashes is a sanity
> test. If you bypass it but enter the wrong passphrase, you'll get an
> incorrectly-decrypted EDK, which will lead your disk to look like every sector
> is full of random garbage. Rather than decrypt the entire disk and run chkdsk
> to see if it looks sane, comparing the hashes of the passphrase is a quick and
> dirty way of testing if the resulting EDK is going to be the correct one.
The PGP email encryption has two known-plaintext bytes for that purpose.
This only honors a bad key 2^16 of the time, but ensures that brute-forcing
must do a more extensive unknown-plaintext attack at that rate for any
potentially-correct key.
This reminds me a little of the suggestions that MACs should be truncated,
although it seems to me that it's better to encrypt a hash of the plaintext.
--
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
