Impact of Netscape kernel hole (fwd)
Bill Stewart
stewarts at ix.netcom.com
Mon Jun 16 19:01:48 PDT 1997
>Joe "slightly crypto-savvy pgp user" sixpack keeps his pgp keyring in
>c:\pgp on a dos/w95 box. The average user of any of the unices keeps his
>keyring in /usr/pgp or /usr/local/pgp it does not take a lot of attempts
>to go through most of the common places.
>
>The very same guy probably has a password that is:
> [Dictionary attack on wimpy passphrases ]
With PGP 2.0 ... 4.0 secret keyring files, there's another attack.
(I don't know if PGP 5.0 files have this problem or not.)
You can't get the secret key itself from the password file without cracking
the IDEA password (or algorithm), but the user-name is in cleartext.
Joe Sixpack <jr6 at aol.com> 0x98458509834295834098589...
Joe Sixpack <purchasing at work.com> 0x34543905843f90853490545...
Jane Doe #2 <janedoe2 at nym.alias.net> 0x2d0e2d0e231415926535487...
Lone Ranger <maskedman at dopedeal.com> 0x23dead5beef890832455345...
TruthMunger <medusa at blacknet.gov> 0x27182818284590459024090...
Arms Buyer <getguns at freeburma.org> 0x08908024308732049872390...
If you've got pseudonyms as well as your real name, they show;
you've got all the usual risks of traffic analysis, outing, etc.
and your secret identity is toast. For most people, it's not a big risk,
but if you really _do_ need to keep your pseudonym untraceable,
this lets it leak out of your encrypted hard disk, which would be Bad.
Publius
More information about the cypherpunks-legacy
mailing list