It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

PGP Broken....by Mcafee?

page: 2
0
<< 1   >>

log in

join
share:

posted on Aug, 22 2004 @ 12:29 AM
link   
Romeo:

Yes, I do know PGP - I actually helped with the creation of the Open PGP standard
The example you gave is how PKI (and PGP) works and it is open to middle-man attacks if the public key is provided over the Internet.

Basically, a "middle man" attack can exist for transfer of ANY data over the Internet - including secure communications. The jist of it comes in the form of a "control" computer in-between the two communicating computers. The "control" computer receives data from person A, decrypts it with "their" keys...has a look...re-encrypts it with "their" keys and sends it to person B . Person B of course thinks he/she has the public key of person A but in actual fact person B has the public key of the "control" computer, THUS all encrypted data sent either way can always be decrypted by the control computer...and of course person A thinks he/she has the public key of person B but in actual fact, he/she has the public key of the "control" computer
The only way a middle-man attack can work is if it intercepts the transmission of the first keys. This can also easily be done for SSL as well...

You think you are living in a secure environment but in actual fact it can be very insecure


The example I gave for unbreakable encryption is actually called "single pad" - totally different to PGP and is unbreakable (except brute force and even that is impossible is the part of the pad used to encrypt the data is very large (ie key length wise)) as there is no use of key pairs. The only problem is conveniance - you have to get a copy of the "single pad" to the sender and receiver.

I know the mil used to use this and they probably still use it for very high level stuff.

Cheers

JS


[edit on 22-8-2004 by jumpspace]




posted on Aug, 22 2004 @ 12:39 AM
link   
How effective would it be to use an encryption system that encrypts a message into plain text instead of a binary type format. Where all the content of the encrypted message is common words. So any supercomputer used to decrypt the message could not pick up a transition for a binary type format to a word based format. I would think that the message would have to be manually decrypted and that would be basically impossible.



posted on Aug, 22 2004 @ 01:18 AM
link   
Indy:

In the computer world all text is binary anyways so if you did encrypt to text then that could be converted to binary quite easily using 8/16/32/64 bit formatting


The ANSI character set (256 characters) actually fits snuggly into the 8 bit code...which actualy handles at max 256 characters.

When encryption occurs, it results in a binary file, however for transmission over the Internet it is encoded using base 64 and MIME etc (mainly so that e-mail servers can receive the data and not get "thrown").

Cheers

JS



posted on Aug, 22 2004 @ 01:29 AM
link   
Yeah but with pgp encrypted email there is an attachment to the email. This attachment is the encrypted message. It is a binary type message. When you view this file it is basically an endless stream of random characters. Once decrypted this file takes on a completely different appearance. A decryption program can watch for the transition from one file type to another. But if the program cannot tell the difference? If the beginning file and ending file are similar how can you tell if you actually decrypted it or not?



posted on Aug, 22 2004 @ 01:36 AM
link   
thanks jumpspace.
So if you were to use something what would you pick, for the home office?



posted on Aug, 22 2004 @ 02:15 AM
link   
Indy:

"A decryption program can watch for the transition from one file type to another. But if the program cannot tell the difference? If the beginning file and ending file are similar how can you tell if you actually decrypted it or not?"

Sorry, I can't understand what you're asking


Romeo:

Hmmm, if I wanted to secure something 100% over the Internet, I would use single pad encryption. There are probably programs out there to do that. To achieve 100% anomominity, you would have to write a basic program yourself to do this, ie provide a button to point to the file to be encrypted/devrypted and a button to point to the pad file.

I would say that the program out there without "back doors" would have to be one of the original programs that Phil Zimmerman posted that got him thrown in the clink, however whether your download has subsequently been "modified" or "intercepted" or not, I could not say.

The version you can use for international use is 2.6.3i...but you cannot use it in the USA...the patent people etc don't like it. From the readme file:

"LEGAL STUFF

PGP 2.6.3i is not approved by MIT or PRZ or NSA or the Pope or anyone else. However, it should be possible to use it legally by anyone in the free world (i.e. all countries except USA, France, Iraq and a few others). There are three reasons why people may claim (incorrectly) that PGP 2.6.3i is illegal: "

More info at:

www.pa.msu.edu...

The only problem is:

If you use the original program, it is not supported by Network Associates...hmmm...I wonder why?

If you want really good encryption, you have to do what you do with firewalls (ie dual firewalls) - you have to encrypt a number of times (the more the better) with programs from different countries. That way, if NAI and NSA are "friends" then they could only decrypt the NAI version and not, say, a russian version etc.

Personally, I don't encrypt anything as I've got nothing to hide, however if I was doing business with a foreign entity and there was a possibility that the deal could crash if the data got into "whoever's" hands then yes, I would use a "single pad" style of encryption - would probably even fly to the country first to xchange the single pad and program to make sure all comms. were secure.

Cheers

JS



posted on Aug, 22 2004 @ 02:21 AM
link   
jumpspace... all the files you use on your computer and on the net have a certain format to them. Thats why you can name a file mypic.hahahaha and your viewer will still be able to display it because it understands the format. I can make a file reallytext.jpg (a renamed text file) and the viewer wouldn't spew out errors. So if I encrypt a text message into a pgp file a decryption program would be able to identify when its attempt to break the code was successful because the resulting output would be a valid text file instead of an invalid file type. If your encryption/decryption system used only common words then the software would not be able to pick up a change in the file type. Meaning a human would have to go through and manually run each possible code to decrypt the message. Even then it would be hard to tell if the resulting message was real or a failed attempt to decrypt.

Make sense?



posted on Aug, 22 2004 @ 02:39 AM
link   
Indy:

I think I get what you're saying.

Yes, you could do that - it is similar to a single pad menthod in that *really* the sender and receiver have to have a "common" algorithm/format/method to encrypt/decrypt - whether it's words, a single pad file, newspaper headlines on certain pages etc etc...

Cheers

JS



posted on Aug, 22 2004 @ 04:10 AM
link   
For paranoids I suggest Safeguard Easy 4.0 from Utimaco.

www.utimaco.com...

It's not breakable and comes without nasty NSA backdoors. And yes, some PGP have flaws built in but as already mentioned, OpenPGP is secure.



posted on Aug, 22 2004 @ 11:58 AM
link   
jumpspace:

I may be wrong but doesn't a single pad (I think its called the Vernam cipher try google) algorithm use the same size key length as the message? That would mean that you'd have to write down the key because it would get rather lengthly, thats probably not the cipher you were talking about - its not a very practical solution. We saw a demo of this in my Java class, where you used a certain inherited class to XOR the plaintext and voila you have your cypher text. The other end of the spectrum would then need the key and then then to XOR the result using the same algorithm. The only problem was that if your cipher stream didn't synchronize correctly your message would turn out a bunch of garbage.

EDIT: Of course I forgot to mention its unbreakable because its true randomness

[edit on 22-8-2004 by Linux]



posted on Aug, 28 2004 @ 07:32 AM
link   
Sorry for the delay, my ISP killed my account (And I think I know why *wink wink*)
Yes, I have tried scanned it on another computer using the same alpha version software and I get the same result.
I roughly know how PGP works and I think this is the strangest thing known to man.
The fact is unless the NSA, or some agency with that sought of power, has a backdoor in PGP then PGP is going to take a hell of a long time to crack.
The only thing I can think of that can be correct or plausible is an exploit in the PGP software.



An program full of bugs is better then any backdoor -Agent Nesh

Agent Nesh is serving prison time I believe.

Did I mention McAfee isn't talking to me lately?
Haven't heard from them in ages.
There has to be a simple explaination.



posted on Aug, 28 2004 @ 10:28 AM
link   
Even if the server file isn't opened, it should be detected. I've used Norton Anti-Virus for years and it's always alerted me to the presence of the file - even when the back door isn't planted yet.

edit: or am I not understanding something correctly here?

[edit on 28-8-2004 by Kymus]



posted on Nov, 19 2004 @ 04:54 AM
link   
im no expert on computers, but if someone created it, someone can crack it.



new topics

top topics



 
0
<< 1   >>

log in

join