1997-06-17 - Re: Impact of Netscape kernel hole (fwd)

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: cypherpunks@Algebra.COM
Message Hash: c225338c64dfd11d2c04851156542f2e66505a9a0306e8e22beafd70e8cf2243
Message ID: <3.0.2.32.19970616183010.0074a894@popd.ix.netcom.com>
Reply To: <Pine.LNX.3.91.970614112312.1213B-100000@fatmans.demon.co.uk>
UTC Datetime: 1997-06-17 02:01:48 UTC
Raw Date: Tue, 17 Jun 1997 10:01:48 +0800

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 17 Jun 1997 10:01:48 +0800
To: cypherpunks@Algebra.COM
Subject: Re: Impact of Netscape kernel hole (fwd)
In-Reply-To: <Pine.LNX.3.91.970614112312.1213B-100000@fatmans.demon.co.uk>
Message-ID: <3.0.2.32.19970616183010.0074a894@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



>Joe "slightly crypto-savvy pgp user" sixpack keeps his pgp keyring in 
>c:\pgp on a dos/w95 box. The average user of any of the unices keeps his 
>keyring in /usr/pgp or /usr/local/pgp it does not take a lot of attempts 
>to go through most of the common places.
>
>The very same guy probably has a password that is:
	> [Dictionary attack on wimpy passphrases ]

With PGP 2.0 ... 4.0 secret keyring files, there's another attack.
(I don't know if PGP 5.0 files have this problem or not.)
You can't get the secret key itself from the password file without cracking 
the IDEA password (or algorithm), but the user-name is in cleartext.
	Joe Sixpack <jr6@aol.com>            0x98458509834295834098589...
	Joe Sixpack <purchasing@work.com>    0x34543905843f90853490545...
	Jane Doe #2 <janedoe2@nym.alias.net> 0x2d0e2d0e231415926535487...
	Lone Ranger <maskedman@dopedeal.com> 0x23dead5beef890832455345...
	TruthMunger <medusa@blacknet.gov>    0x27182818284590459024090...
	Arms Buyer  <getguns@freeburma.org>  0x08908024308732049872390...
If you've got pseudonyms as well as your real name, they show;
you've got all the usual risks of traffic analysis, outing, etc.	
and your secret identity is toast.  For most people, it's not a big risk,
but if you really _do_ need to keep your pseudonym untraceable,
this lets it leak out of your encrypted hard disk, which would be Bad.


					Publius






Thread