[Full-disclosure] Re: PGP & Truecrypt "A Nasty Security Bug"
Markus Jansson
seemyhomepage at katsokotisivuilta.ni
Sat May 27 20:55:20 BST 2006
From what I understod, this is really not any kind of bug. The issue is
simple: If you have encrypted something the way PGP/Truecrypt does (that
is, it creates encryption key and encrypts that with encryption key
created from your passphrase), you can ofcourse do this.
How? Well, since you can always hold the original encryption key used.
It doesnt matter how many times the passphrase is changed, since the
original "master" encryption key remains the same. This is the basic
issue here.
Lesson: Dont just change passphrases when re-using encrypted containers
etc. but RECRYPT the container.
Point: Anything encrypted with PGP/Truecrypt is still secure if you have
complex passphrase on it and dont let anyone else know what it is.
--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.
Full-Disclosure is hosted and sponsored by Secunia.