It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
PGP Broken....by Mcafee?
page: 2share:
Romeo:
Yes, I do know PGP - I actually helped with the creation of the Open PGP standard The example you gave is how PKI (and PGP) works and it is open to middle-man attacks if the public key is provided over the Internet.
Basically, a "middle man" attack can exist for transfer of ANY data over the Internet - including secure communications. The jist of it comes in the form of a "control" computer in-between the two communicating computers. The "control" computer receives data from person A, decrypts it with "their" keys...has a look...re-encrypts it with "their" keys and sends it to person B . Person B of course thinks he/she has the public key of person A but in actual fact person B has the public key of the "control" computer, THUS all encrypted data sent either way can always be decrypted by the control computer...and of course person A thinks he/she has the public key of person B but in actual fact, he/she has the public key of the "control" computer The only way a middle-man attack can work is if it intercepts the transmission of the first keys. This can also easily be done for SSL as well...
You think you are living in a secure environment but in actual fact it can be very insecure
The example I gave for unbreakable encryption is actually called "single pad" - totally different to PGP and is unbreakable (except brute force and even that is impossible is the part of the pad used to encrypt the data is very large (ie key length wise)) as there is no use of key pairs. The only problem is conveniance - you have to get a copy of the "single pad" to the sender and receiver.
I know the mil used to use this and they probably still use it for very high level stuff.
Cheers
JS
[edit on 22-8-2004 by jumpspace]
Yes, I do know PGP - I actually helped with the creation of the Open PGP standard The example you gave is how PKI (and PGP) works and it is open to middle-man attacks if the public key is provided over the Internet.
Basically, a "middle man" attack can exist for transfer of ANY data over the Internet - including secure communications. The jist of it comes in the form of a "control" computer in-between the two communicating computers. The "control" computer receives data from person A, decrypts it with "their" keys...has a look...re-encrypts it with "their" keys and sends it to person B . Person B of course thinks he/she has the public key of person A but in actual fact person B has the public key of the "control" computer, THUS all encrypted data sent either way can always be decrypted by the control computer...and of course person A thinks he/she has the public key of person B but in actual fact, he/she has the public key of the "control" computer The only way a middle-man attack can work is if it intercepts the transmission of the first keys. This can also easily be done for SSL as well...
You think you are living in a secure environment but in actual fact it can be very insecure
The example I gave for unbreakable encryption is actually called "single pad" - totally different to PGP and is unbreakable (except brute force and even that is impossible is the part of the pad used to encrypt the data is very large (ie key length wise)) as there is no use of key pairs. The only problem is conveniance - you have to get a copy of the "single pad" to the sender and receiver.
I know the mil used to use this and they probably still use it for very high level stuff.
Cheers
JS
[edit on 22-8-2004 by jumpspace]
How effective would it be to use an encryption system that encrypts a message into plain text instead of a binary type format. Where all the content
of the encrypted message is common words. So any supercomputer used to decrypt the message could not pick up a transition for a binary type format to
a word based format. I would think that the message would have to be manually decrypted and that would be basically impossible.
Indy:
In the computer world all text is binary anyways so if you did encrypt to text then that could be converted to binary quite easily using 8/16/32/64 bit formatting
The ANSI character set (256 characters) actually fits snuggly into the 8 bit code...which actualy handles at max 256 characters.
When encryption occurs, it results in a binary file, however for transmission over the Internet it is encoded using base 64 and MIME etc (mainly so that e-mail servers can receive the data and not get "thrown").
Cheers
JS
In the computer world all text is binary anyways so if you did encrypt to text then that could be converted to binary quite easily using 8/16/32/64 bit formatting
The ANSI character set (256 characters) actually fits snuggly into the 8 bit code...which actualy handles at max 256 characters.
When encryption occurs, it results in a binary file, however for transmission over the Internet it is encoded using base 64 and MIME etc (mainly so that e-mail servers can receive the data and not get "thrown").
Cheers
JS
Yeah but with pgp encrypted email there is an attachment to the email. This attachment is the encrypted message. It is a binary type message. When
you view this file it is basically an endless stream of random characters. Once decrypted this file takes on a completely different appearance. A
decryption program can watch for the transition from one file type to another. But if the program cannot tell the difference? If the beginning file
and ending file are similar how can you tell if you actually decrypted it or not?
thanks jumpspace. So if you were to use something what would you pick, for the home office?
Indy:
"A decryption program can watch for the transition from one file type to another. But if the program cannot tell the difference? If the beginning file and ending file are similar how can you tell if you actually decrypted it or not?"
Sorry, I can't understand what you're asking
Romeo:
Hmmm, if I wanted to secure something 100% over the Internet, I would use single pad encryption. There are probably programs out there to do that. To achieve 100% anomominity, you would have to write a basic program yourself to do this, ie provide a button to point to the file to be encrypted/devrypted and a button to point to the pad file.
I would say that the program out there without "back doors" would have to be one of the original programs that Phil Zimmerman posted that got him thrown in the clink, however whether your download has subsequently been "modified" or "intercepted" or not, I could not say.
The version you can use for international use is 2.6.3i...but you cannot use it in the USA...the patent people etc don't like it. From the readme file:
"LEGAL STUFF
PGP 2.6.3i is not approved by MIT or PRZ or NSA or the Pope or anyone else. However, it should be possible to use it legally by anyone in the free world (i.e. all countries except USA, France, Iraq and a few others). There are three reasons why people may claim (incorrectly) that PGP 2.6.3i is illegal: "
More info at:
www.pa.msu.edu...
The only problem is:
If you use the original program, it is not supported by Network Associates...hmmm...I wonder why?
If you want really good encryption, you have to do what you do with firewalls (ie dual firewalls) - you have to encrypt a number of times (the more the better) with programs from different countries. That way, if NAI and NSA are "friends" then they could only decrypt the NAI version and not, say, a russian version etc.
Personally, I don't encrypt anything as I've got nothing to hide, however if I was doing business with a foreign entity and there was a possibility that the deal could crash if the data got into "whoever's" hands then yes, I would use a "single pad" style of encryption - would probably even fly to the country first to xchange the single pad and program to make sure all comms. were secure.
Cheers
JS
"A decryption program can watch for the transition from one file type to another. But if the program cannot tell the difference? If the beginning file and ending file are similar how can you tell if you actually decrypted it or not?"
Sorry, I can't understand what you're asking
Romeo:
Hmmm, if I wanted to secure something 100% over the Internet, I would use single pad encryption. There are probably programs out there to do that. To achieve 100% anomominity, you would have to write a basic program yourself to do this, ie provide a button to point to the file to be encrypted/devrypted and a button to point to the pad file.
I would say that the program out there without "back doors" would have to be one of the original programs that Phil Zimmerman posted that got him thrown in the clink, however whether your download has subsequently been "modified" or "intercepted" or not, I could not say.
The version you can use for international use is 2.6.3i...but you cannot use it in the USA...the patent people etc don't like it. From the readme file:
"LEGAL STUFF
PGP 2.6.3i is not approved by MIT or PRZ or NSA or the Pope or anyone else. However, it should be possible to use it legally by anyone in the free world (i.e. all countries except USA, France, Iraq and a few others). There are three reasons why people may claim (incorrectly) that PGP 2.6.3i is illegal: "
More info at:
www.pa.msu.edu...
The only problem is:
If you use the original program, it is not supported by Network Associates...hmmm...I wonder why?
If you want really good encryption, you have to do what you do with firewalls (ie dual firewalls) - you have to encrypt a number of times (the more the better) with programs from different countries. That way, if NAI and NSA are "friends" then they could only decrypt the NAI version and not, say, a russian version etc.
Personally, I don't encrypt anything as I've got nothing to hide, however if I was doing business with a foreign entity and there was a possibility that the deal could crash if the data got into "whoever's" hands then yes, I would use a "single pad" style of encryption - would probably even fly to the country first to xchange the single pad and program to make sure all comms. were secure.
Cheers
JS
jumpspace... all the files you use on your computer and on the net have a certain format to them. Thats why you can name a file mypic.hahahaha and
your viewer will still be able to display it because it understands the format. I can make a file reallytext.jpg (a renamed text file) and the
viewer wouldn't spew out errors. So if I encrypt a text message into a pgp file a decryption program would be able to identify when its attempt to
break the code was successful because the resulting output would be a valid text file instead of an invalid file type. If your encryption/decryption
system used only common words then the software would not be able to pick up a change in the file type. Meaning a human would have to go through and
manually run each possible code to decrypt the message. Even then it would be hard to tell if the resulting message was real or a failed attempt to
decrypt.
Make sense?
Make sense?
Indy:
I think I get what you're saying.
Yes, you could do that - it is similar to a single pad menthod in that *really* the sender and receiver have to have a "common" algorithm/format/method to encrypt/decrypt - whether it's words, a single pad file, newspaper headlines on certain pages etc etc...
Cheers
JS
I think I get what you're saying.
Yes, you could do that - it is similar to a single pad menthod in that *really* the sender and receiver have to have a "common" algorithm/format/method to encrypt/decrypt - whether it's words, a single pad file, newspaper headlines on certain pages etc etc...
Cheers
JS
For paranoids I suggest Safeguard Easy 4.0 from Utimaco.
www.utimaco.com...
It's not breakable and comes without nasty NSA backdoors. And yes, some PGP have flaws built in but as already mentioned, OpenPGP is secure.
www.utimaco.com...
It's not breakable and comes without nasty NSA backdoors. And yes, some PGP have flaws built in but as already mentioned, OpenPGP is secure.
jumpspace:
I may be wrong but doesn't a single pad (I think its called the Vernam cipher try google) algorithm use the same size key length as the message? That would mean that you'd have to write down the key because it would get rather lengthly, thats probably not the cipher you were talking about - its not a very practical solution. We saw a demo of this in my Java class, where you used a certain inherited class to XOR the plaintext and voila you have your cypher text. The other end of the spectrum would then need the key and then then to XOR the result using the same algorithm. The only problem was that if your cipher stream didn't synchronize correctly your message would turn out a bunch of garbage.
EDIT: Of course I forgot to mention its unbreakable because its true randomness
[edit on 22-8-2004 by Linux]
I may be wrong but doesn't a single pad (I think its called the Vernam cipher try google) algorithm use the same size key length as the message? That would mean that you'd have to write down the key because it would get rather lengthly, thats probably not the cipher you were talking about - its not a very practical solution. We saw a demo of this in my Java class, where you used a certain inherited class to XOR the plaintext and voila you have your cypher text. The other end of the spectrum would then need the key and then then to XOR the result using the same algorithm. The only problem was that if your cipher stream didn't synchronize correctly your message would turn out a bunch of garbage.
EDIT: Of course I forgot to mention its unbreakable because its true randomness
[edit on 22-8-2004 by Linux]
Sorry for the delay, my ISP killed my account (And I think I know why *wink wink*)
Yes, I have tried scanned it on another computer using the same alpha version software and I get the same result.
I roughly know how PGP works and I think this is the strangest thing known to man.
The fact is unless the NSA, or some agency with that sought of power, has a backdoor in PGP then PGP is going to take a hell of a long time to crack.
The only thing I can think of that can be correct or plausible is an exploit in the PGP software.
Agent Nesh is serving prison time I believe.
Did I mention McAfee isn't talking to me lately? Haven't heard from them in ages.
There has to be a simple explaination.
Yes, I have tried scanned it on another computer using the same alpha version software and I get the same result.
I roughly know how PGP works and I think this is the strangest thing known to man.
The fact is unless the NSA, or some agency with that sought of power, has a backdoor in PGP then PGP is going to take a hell of a long time to crack.
The only thing I can think of that can be correct or plausible is an exploit in the PGP software.
An program full of bugs is better then any backdoor -Agent Nesh
Agent Nesh is serving prison time I believe.
Did I mention McAfee isn't talking to me lately? Haven't heard from them in ages.
There has to be a simple explaination.
Even if the server file isn't opened, it should be detected. I've used Norton Anti-Virus for years and it's always alerted me to the presence of
the file - even when the back door isn't planted yet.
edit: or am I not understanding something correctly here?
[edit on 28-8-2004 by Kymus]
edit: or am I not understanding something correctly here?
[edit on 28-8-2004 by Kymus]
new topics
-
Stalker 2 - Review from a Veteran
Video Games: 1 hours ago -
Does anyone have a link to download apple pay for androids
General Chit Chat: 2 hours ago -
Most INSANE internet rabbit hole
Secret Societies: 3 hours ago -
Joe Rogan conspiracy (maybe)
ATS Skunk Works: 6 hours ago -
Results of the use of the Oreshnik missile system in Dnepropetrovsk
World War Three: 9 hours ago -
Nigel Farage now the Most Favoured UK Politician
Regional Politics: 10 hours ago
top topics
-
Little Johnny and Larry should team up
General Chit Chat: 16 hours ago, 13 flags -
Results of the use of the Oreshnik missile system in Dnepropetrovsk
World War Three: 9 hours ago, 12 flags -
Most INSANE internet rabbit hole
Secret Societies: 3 hours ago, 8 flags -
Nigel Farage now the Most Favoured UK Politician
Regional Politics: 10 hours ago, 4 flags -
Will Us use alien technology to fight in ww3?
World War Three: 17 hours ago, 3 flags -
Joe Rogan conspiracy (maybe)
ATS Skunk Works: 6 hours ago, 3 flags -
Does anyone have a link to download apple pay for androids
General Chit Chat: 2 hours ago, 1 flags -
Stalker 2 - Review from a Veteran
Video Games: 1 hours ago, 1 flags
active topics
-
-@TH3WH17ERABB17- -Q- ---TIME TO SHOW THE WORLD--- -Part- --44--
Dissecting Disinformation • 3360 • : Thoughtful3 -
Results of the use of the Oreshnik missile system in Dnepropetrovsk
World War Three • 160 • : RickyD -
Montelukast affects brain, caused 5 year old to attempt suicide
Medical Issues & Conspiracies • 12 • : lilzazz -
Jaguar Rebrand Video Causes "WTF?" Moment - Seriously Weird
Automotive Discussion • 27 • : lilzazz -
Stalker 2 - Review from a Veteran
Video Games • 2 • : CriticalStinker -
Elon Says It’s ‘Likely’ He Buys Tanking MSNBC
Political Ideology • 75 • : derfreebie -
President-Elect DONALD TRUMP's 2nd-Term Administration Takes Shape.
Political Ideology • 241 • : WeMustCare -
Will Us use alien technology to fight in ww3?
World War Three • 14 • : DaydreamerX -
Does anyone have a link to download apple pay for androids
General Chit Chat • 6 • : bluemooone44 -
Most INSANE internet rabbit hole
Secret Societies • 2 • : BeyondKnowledge3