It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
PGP Broken....by Mcafee?
page: 2share:
Romeo:
Yes, I do know PGP - I actually helped with the creation of the Open PGP standard The example you gave is how PKI (and PGP) works and it is open to middle-man attacks if the public key is provided over the Internet.
Basically, a "middle man" attack can exist for transfer of ANY data over the Internet - including secure communications. The jist of it comes in the form of a "control" computer in-between the two communicating computers. The "control" computer receives data from person A, decrypts it with "their" keys...has a look...re-encrypts it with "their" keys and sends it to person B . Person B of course thinks he/she has the public key of person A but in actual fact person B has the public key of the "control" computer, THUS all encrypted data sent either way can always be decrypted by the control computer...and of course person A thinks he/she has the public key of person B but in actual fact, he/she has the public key of the "control" computer The only way a middle-man attack can work is if it intercepts the transmission of the first keys. This can also easily be done for SSL as well...
You think you are living in a secure environment but in actual fact it can be very insecure
The example I gave for unbreakable encryption is actually called "single pad" - totally different to PGP and is unbreakable (except brute force and even that is impossible is the part of the pad used to encrypt the data is very large (ie key length wise)) as there is no use of key pairs. The only problem is conveniance - you have to get a copy of the "single pad" to the sender and receiver.
I know the mil used to use this and they probably still use it for very high level stuff.
Cheers
JS
[edit on 22-8-2004 by jumpspace]
Yes, I do know PGP - I actually helped with the creation of the Open PGP standard The example you gave is how PKI (and PGP) works and it is open to middle-man attacks if the public key is provided over the Internet.
Basically, a "middle man" attack can exist for transfer of ANY data over the Internet - including secure communications. The jist of it comes in the form of a "control" computer in-between the two communicating computers. The "control" computer receives data from person A, decrypts it with "their" keys...has a look...re-encrypts it with "their" keys and sends it to person B . Person B of course thinks he/she has the public key of person A but in actual fact person B has the public key of the "control" computer, THUS all encrypted data sent either way can always be decrypted by the control computer...and of course person A thinks he/she has the public key of person B but in actual fact, he/she has the public key of the "control" computer The only way a middle-man attack can work is if it intercepts the transmission of the first keys. This can also easily be done for SSL as well...
You think you are living in a secure environment but in actual fact it can be very insecure
The example I gave for unbreakable encryption is actually called "single pad" - totally different to PGP and is unbreakable (except brute force and even that is impossible is the part of the pad used to encrypt the data is very large (ie key length wise)) as there is no use of key pairs. The only problem is conveniance - you have to get a copy of the "single pad" to the sender and receiver.
I know the mil used to use this and they probably still use it for very high level stuff.
Cheers
JS
[edit on 22-8-2004 by jumpspace]
How effective would it be to use an encryption system that encrypts a message into plain text instead of a binary type format. Where all the content
of the encrypted message is common words. So any supercomputer used to decrypt the message could not pick up a transition for a binary type format to
a word based format. I would think that the message would have to be manually decrypted and that would be basically impossible.
Indy:
In the computer world all text is binary anyways so if you did encrypt to text then that could be converted to binary quite easily using 8/16/32/64 bit formatting
The ANSI character set (256 characters) actually fits snuggly into the 8 bit code...which actualy handles at max 256 characters.
When encryption occurs, it results in a binary file, however for transmission over the Internet it is encoded using base 64 and MIME etc (mainly so that e-mail servers can receive the data and not get "thrown").
Cheers
JS
In the computer world all text is binary anyways so if you did encrypt to text then that could be converted to binary quite easily using 8/16/32/64 bit formatting
The ANSI character set (256 characters) actually fits snuggly into the 8 bit code...which actualy handles at max 256 characters.
When encryption occurs, it results in a binary file, however for transmission over the Internet it is encoded using base 64 and MIME etc (mainly so that e-mail servers can receive the data and not get "thrown").
Cheers
JS
Yeah but with pgp encrypted email there is an attachment to the email. This attachment is the encrypted message. It is a binary type message. When
you view this file it is basically an endless stream of random characters. Once decrypted this file takes on a completely different appearance. A
decryption program can watch for the transition from one file type to another. But if the program cannot tell the difference? If the beginning file
and ending file are similar how can you tell if you actually decrypted it or not?
thanks jumpspace. So if you were to use something what would you pick, for the home office?
Indy:
"A decryption program can watch for the transition from one file type to another. But if the program cannot tell the difference? If the beginning file and ending file are similar how can you tell if you actually decrypted it or not?"
Sorry, I can't understand what you're asking
Romeo:
Hmmm, if I wanted to secure something 100% over the Internet, I would use single pad encryption. There are probably programs out there to do that. To achieve 100% anomominity, you would have to write a basic program yourself to do this, ie provide a button to point to the file to be encrypted/devrypted and a button to point to the pad file.
I would say that the program out there without "back doors" would have to be one of the original programs that Phil Zimmerman posted that got him thrown in the clink, however whether your download has subsequently been "modified" or "intercepted" or not, I could not say.
The version you can use for international use is 2.6.3i...but you cannot use it in the USA...the patent people etc don't like it. From the readme file:
"LEGAL STUFF
PGP 2.6.3i is not approved by MIT or PRZ or NSA or the Pope or anyone else. However, it should be possible to use it legally by anyone in the free world (i.e. all countries except USA, France, Iraq and a few others). There are three reasons why people may claim (incorrectly) that PGP 2.6.3i is illegal: "
More info at:
www.pa.msu.edu...
The only problem is:
If you use the original program, it is not supported by Network Associates...hmmm...I wonder why?
If you want really good encryption, you have to do what you do with firewalls (ie dual firewalls) - you have to encrypt a number of times (the more the better) with programs from different countries. That way, if NAI and NSA are "friends" then they could only decrypt the NAI version and not, say, a russian version etc.
Personally, I don't encrypt anything as I've got nothing to hide, however if I was doing business with a foreign entity and there was a possibility that the deal could crash if the data got into "whoever's" hands then yes, I would use a "single pad" style of encryption - would probably even fly to the country first to xchange the single pad and program to make sure all comms. were secure.
Cheers
JS
"A decryption program can watch for the transition from one file type to another. But if the program cannot tell the difference? If the beginning file and ending file are similar how can you tell if you actually decrypted it or not?"
Sorry, I can't understand what you're asking
Romeo:
Hmmm, if I wanted to secure something 100% over the Internet, I would use single pad encryption. There are probably programs out there to do that. To achieve 100% anomominity, you would have to write a basic program yourself to do this, ie provide a button to point to the file to be encrypted/devrypted and a button to point to the pad file.
I would say that the program out there without "back doors" would have to be one of the original programs that Phil Zimmerman posted that got him thrown in the clink, however whether your download has subsequently been "modified" or "intercepted" or not, I could not say.
The version you can use for international use is 2.6.3i...but you cannot use it in the USA...the patent people etc don't like it. From the readme file:
"LEGAL STUFF
PGP 2.6.3i is not approved by MIT or PRZ or NSA or the Pope or anyone else. However, it should be possible to use it legally by anyone in the free world (i.e. all countries except USA, France, Iraq and a few others). There are three reasons why people may claim (incorrectly) that PGP 2.6.3i is illegal: "
More info at:
www.pa.msu.edu...
The only problem is:
If you use the original program, it is not supported by Network Associates...hmmm...I wonder why?
If you want really good encryption, you have to do what you do with firewalls (ie dual firewalls) - you have to encrypt a number of times (the more the better) with programs from different countries. That way, if NAI and NSA are "friends" then they could only decrypt the NAI version and not, say, a russian version etc.
Personally, I don't encrypt anything as I've got nothing to hide, however if I was doing business with a foreign entity and there was a possibility that the deal could crash if the data got into "whoever's" hands then yes, I would use a "single pad" style of encryption - would probably even fly to the country first to xchange the single pad and program to make sure all comms. were secure.
Cheers
JS
jumpspace... all the files you use on your computer and on the net have a certain format to them. Thats why you can name a file mypic.hahahaha and
your viewer will still be able to display it because it understands the format. I can make a file reallytext.jpg (a renamed text file) and the
viewer wouldn't spew out errors. So if I encrypt a text message into a pgp file a decryption program would be able to identify when its attempt to
break the code was successful because the resulting output would be a valid text file instead of an invalid file type. If your encryption/decryption
system used only common words then the software would not be able to pick up a change in the file type. Meaning a human would have to go through and
manually run each possible code to decrypt the message. Even then it would be hard to tell if the resulting message was real or a failed attempt to
decrypt.
Make sense?
Make sense?
Indy:
I think I get what you're saying.
Yes, you could do that - it is similar to a single pad menthod in that *really* the sender and receiver have to have a "common" algorithm/format/method to encrypt/decrypt - whether it's words, a single pad file, newspaper headlines on certain pages etc etc...
Cheers
JS
I think I get what you're saying.
Yes, you could do that - it is similar to a single pad menthod in that *really* the sender and receiver have to have a "common" algorithm/format/method to encrypt/decrypt - whether it's words, a single pad file, newspaper headlines on certain pages etc etc...
Cheers
JS
For paranoids I suggest Safeguard Easy 4.0 from Utimaco.
www.utimaco.com...
It's not breakable and comes without nasty NSA backdoors. And yes, some PGP have flaws built in but as already mentioned, OpenPGP is secure.
www.utimaco.com...
It's not breakable and comes without nasty NSA backdoors. And yes, some PGP have flaws built in but as already mentioned, OpenPGP is secure.
jumpspace:
I may be wrong but doesn't a single pad (I think its called the Vernam cipher try google) algorithm use the same size key length as the message? That would mean that you'd have to write down the key because it would get rather lengthly, thats probably not the cipher you were talking about - its not a very practical solution. We saw a demo of this in my Java class, where you used a certain inherited class to XOR the plaintext and voila you have your cypher text. The other end of the spectrum would then need the key and then then to XOR the result using the same algorithm. The only problem was that if your cipher stream didn't synchronize correctly your message would turn out a bunch of garbage.
EDIT: Of course I forgot to mention its unbreakable because its true randomness
[edit on 22-8-2004 by Linux]
I may be wrong but doesn't a single pad (I think its called the Vernam cipher try google) algorithm use the same size key length as the message? That would mean that you'd have to write down the key because it would get rather lengthly, thats probably not the cipher you were talking about - its not a very practical solution. We saw a demo of this in my Java class, where you used a certain inherited class to XOR the plaintext and voila you have your cypher text. The other end of the spectrum would then need the key and then then to XOR the result using the same algorithm. The only problem was that if your cipher stream didn't synchronize correctly your message would turn out a bunch of garbage.
EDIT: Of course I forgot to mention its unbreakable because its true randomness
[edit on 22-8-2004 by Linux]
Sorry for the delay, my ISP killed my account (And I think I know why *wink wink*)
Yes, I have tried scanned it on another computer using the same alpha version software and I get the same result.
I roughly know how PGP works and I think this is the strangest thing known to man.
The fact is unless the NSA, or some agency with that sought of power, has a backdoor in PGP then PGP is going to take a hell of a long time to crack.
The only thing I can think of that can be correct or plausible is an exploit in the PGP software.
Agent Nesh is serving prison time I believe.
Did I mention McAfee isn't talking to me lately? Haven't heard from them in ages.
There has to be a simple explaination.
Yes, I have tried scanned it on another computer using the same alpha version software and I get the same result.
I roughly know how PGP works and I think this is the strangest thing known to man.
The fact is unless the NSA, or some agency with that sought of power, has a backdoor in PGP then PGP is going to take a hell of a long time to crack.
The only thing I can think of that can be correct or plausible is an exploit in the PGP software.
An program full of bugs is better then any backdoor -Agent Nesh
Agent Nesh is serving prison time I believe.
Did I mention McAfee isn't talking to me lately? Haven't heard from them in ages.
There has to be a simple explaination.
Even if the server file isn't opened, it should be detected. I've used Norton Anti-Virus for years and it's always alerted me to the presence of
the file - even when the back door isn't planted yet.
edit: or am I not understanding something correctly here?
[edit on 28-8-2004 by Kymus]
edit: or am I not understanding something correctly here?
[edit on 28-8-2004 by Kymus]
new topics
-
Thousands Of Young Ukrainian Men Trying To Flee The Country To Avoid Conscription And The War
Other Current Events: 3 hours ago -
12 jurors selected in Trump criminal trial
US Political Madness: 5 hours ago -
Iran launches Retalliation Strike 4.18.24
World War Three: 6 hours ago -
Israeli Missile Strikes in Iran, Explosions in Syria + Iraq
World War Three: 6 hours ago
top topics
-
George Knapp AMA on DI
Area 51 and other Facilities: 12 hours ago, 25 flags -
Israeli Missile Strikes in Iran, Explosions in Syria + Iraq
World War Three: 6 hours ago, 15 flags -
Louisiana Lawmakers Seek to Limit Public Access to Government Records
Political Issues: 14 hours ago, 7 flags -
So I saw about 30 UFOs in formation last night.
Aliens and UFOs: 17 hours ago, 6 flags -
Iran launches Retalliation Strike 4.18.24
World War Three: 6 hours ago, 6 flags -
Not Aliens but a Nazi Occult Inspired and then Science Rendered Design.
Aliens and UFOs: 12 hours ago, 5 flags -
12 jurors selected in Trump criminal trial
US Political Madness: 5 hours ago, 4 flags -
The Tories may be wiped out after the Election - Serves them Right
Regional Politics: 15 hours ago, 3 flags -
Thousands Of Young Ukrainian Men Trying To Flee The Country To Avoid Conscription And The War
Other Current Events: 3 hours ago, 3 flags
active topics
-
-@TH3WH17ERABB17- -Q- ---TIME TO SHOW THE WORLD--- -Part- --44--
Dissecting Disinformation • 537 • : brewtiger123 -
Graham Hancock being proven right all along about ancient humans in America.
Ancient & Lost Civilizations • 105 • : bluesfreak2 -
Thousands Of Young Ukrainian Men Trying To Flee The Country To Avoid Conscription And The War
Other Current Events • 2 • : DerBeobachter2 -
The Tories may be wiped out after the Election - Serves them Right
Regional Politics • 23 • : andy06shake -
Mandela Effect - It Happened to Me!
The Gray Area • 109 • : ArMaP -
Mood Music Part VI
Music • 3058 • : Hellmutt -
Fossils in Greece Suggest Human Ancestors Evolved in Europe, Not Africa
Origins and Creationism • 60 • : whereislogic -
Scarface does Tiny Desk Concert
Music • 7 • : sitrose -
The Acronym Game .. Pt.3
General Chit Chat • 7727 • : F2d5thCavv2 -
Russia Ukraine Update Thread - part 3
World War Three • 5697 • : F2d5thCavv2