U.S. CitiesCity-Data Forum Index
Go Back   City-Data Forum > General Forums > Science and Technology > Internet
 [Register]
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
View detailed profile (Advanced) or search
site with Google Custom Search

Search Forums  (Advanced)
Reply Start New Thread
 
Old 07-10-2014, 10:31 AM
 
Location: SoCal
6,120 posts, read 9,727,767 times
Reputation: 5942

Advertisements

Quote:
Originally Posted by Woof View Post
Well, let's hope the NSA didn't design this.
Nope. They didn't. And they, as well as the other powers-that-be, are P.O.'d about it.

Pretty Good Privacy - Wikipedia, the free encyclopedia
Reply With Quote Quick reply to this message

 
Old 07-10-2014, 07:48 PM
 
15,924 posts, read 17,648,084 times
Reputation: 7645
Quote:
Originally Posted by thecoalman View Post
Why do you need to be so abrasive in your posts?

I didn't say the developer didn't realize it. The point is no matter how simplified the process is the breakdown occurs becsue two people need to take action. If the person I want to send encrypted files too is too lazy or could care less it's not going to happen without action from their part. No matter how safe I want to be with my communication I'm reliant on the actions of another party.
When someone gets fixated on something that has little to do with the OP and more to do with how it works, wellll.....
Reply With Quote Quick reply to this message
 
Old 07-10-2014, 08:21 PM
 
40,196 posts, read 41,790,512 times
Reputation: 16747
Quote:
Originally Posted by plwhit View Post
When someone gets fixated on something that has little to do with the OP and more to do with how it works, wellll.....
It has everything to do with the OP. My point is the complexity of running the software is not the fundamental flaw in public/private key encryption. The major flaw is having to depend on someone else before you can use it. You can have the simplest and most elegant program in the world and that all breaks down when human interaction is required especially when one party is dependent on the other.
Reply With Quote Quick reply to this message
 
Old 07-10-2014, 08:30 PM
 
Location: Itinerant
6,787 posts, read 4,375,882 times
Reputation: 5109
Problem is that the private key generation algorithm is deterministic.

Suppose I choose a passphrase "This is my passphrase"

Every time that the private key generator runs against that (because the passphrase is just a bunch of random characters as far as the algo is concerned), it generates the same private key (this is the only way you can switch machines, type in a passphrase and be able to decrypt). This makes it weak against social engineering attacks (people have a style of password generation methods) and with 30 characters you can bet people are not going to be generating complex strings of alphanumeric (lower and uppercase) and symbols that they have to remember.

Also if coincidentally someone else has the same passphrase then they can decrypt mail that is yours.

The second potential issue is that with the private key generator being deterministic, this will mean that the public key generator is equally deterministic, and if they're not really careful it may permit reverse engineering of the private key from the public key.

One of the issues of RSA's compromised encryption today is that the output of the PRNG is deterministic, so I don't entirely know how this resolves the issue.
__________________
My mod posts will always be in red.
The RulesInfractions & DeletionsWho's the moderator? • FAQ • What is a "Personal Attack" • What is "Trolling" • Guidelines for copyrighted material.
Reply With Quote Quick reply to this message
 
Old 07-10-2014, 10:53 PM
 
15,924 posts, read 17,648,084 times
Reputation: 7645
Quote:
Originally Posted by thecoalman View Post
It has everything to do with the OP. My point is the complexity of running the software is not the fundamental flaw in public/private key encryption. The major flaw is having to depend on someone else before you can use it. You can have the simplest and most elegant program in the world and that all breaks down when human interaction is required especially when one party is dependent on the other.
Not to add more fluff to this thread but....

This thread concerns an app that simplifies PGP so anyone can encrypt anything, PERIOD

Let us review the main point of the article shall we?

Quote:
Nadim Kobeissi wants to bulldoze that steep learning curve. At the HOPE hacker conference in New York later this month he’ll release a beta version of an all-purpose file encryption program called miniLock, a free and open-source browser plugin designed to let even Luddites encrypt and decrypt files with practically uncrackable cryptographic protection in seconds.
You want to discuss the shortcomings of PGP?

See the button that is labelled: New Thread

Click on it open your own thread and discuss the shortcomings of PGP there...
Reply With Quote Quick reply to this message
 
Old 07-11-2014, 05:16 AM
 
40,196 posts, read 41,790,512 times
Reputation: 16747
Quote:
Originally Posted by plwhit View Post

You want to discuss the shortcomings of PGP?
What I have posted applies to this app as it does to any public/private key encryption.
Reply With Quote Quick reply to this message
 
Old 07-11-2014, 10:11 AM
 
Location: SoCal
6,120 posts, read 9,727,767 times
Reputation: 5942
Quote:
Originally Posted by Gungnir View Post
Problem is that the private key generation algorithm is deterministic.

Suppose I choose a passphrase "This is my passphrase"

Every time that the private key generator runs against that (because the passphrase is just a bunch of random characters as far as the algo is concerned), it generates the same private key (this is the only way you can switch machines, type in a passphrase and be able to decrypt). This makes it weak against social engineering attacks (people have a style of password generation methods) and with 30 characters you can bet people are not going to be generating complex strings of alphanumeric (lower and uppercase) and symbols that they have to remember.

Also if coincidentally someone else has the same passphrase then they can decrypt mail that is yours.

The second potential issue is that with the private key generator being deterministic, this will mean that the public key generator is equally deterministic, and if they're not really careful it may permit reverse engineering of the private key from the public key.

One of the issues of RSA's compromised encryption today is that the output of the PRNG is deterministic, so I don't entirely know how this resolves the issue.
I never heard of a PGP key generator that takes a passphrase for creating the keys. (And if I did, I'd go looking for a different one.)
Reply With Quote Quick reply to this message
 
Old 07-11-2014, 04:49 PM
 
Location: Itinerant
6,787 posts, read 4,375,882 times
Reputation: 5109
Quote:
Originally Posted by oddstray View Post
I never heard of a PGP key generator that takes a passphrase for creating the keys. (And if I did, I'd go looking for a different one.)
Good thing we're not discussing PGP.

From the article...

Quote:
Kobeissi’s version of public key encryption hides nearly all of that complexity. There’s no need to even register or log in—every time miniLock launches, the user enters only a passphrase, though miniLock requires a strong one with as many as 30 characters or a lot of symbols and numbers. From that passphrase, the program derives a public key, which it calls a miniLock ID, and a private key, which the user never sees and is erased when the program closes. Both are the same every time the user enters the passphrase. That trick of generating the same keys again in every session means anyone can use the program on any computer without worrying about safely storing or moving a sensitive private key.
Sounds like a deterministic key gen to me, based on your randomly input string.
__________________
My mod posts will always be in red.
The RulesInfractions & DeletionsWho's the moderator? • FAQ • What is a "Personal Attack" • What is "Trolling" • Guidelines for copyrighted material.
Reply With Quote Quick reply to this message
 
Old 07-11-2014, 10:31 PM
 
28,611 posts, read 40,593,270 times
Reputation: 37281
What the Hell, plwhit? Are we going to go through all this again?

Cool your jets, man.
Reply With Quote Quick reply to this message
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.

Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.


Reply
Please update this thread with any new information or opinions. This open thread is still read by thousands of people, so we encourage all additional points of view.

Quick Reply
Message:

Over $104,000 in prizes was already given out to active posters on our forum and additional giveaways are planned!

Go Back   City-Data Forum > General Forums > Science and Technology > Internet
Follow City-Data.com founder on our Forum or

All times are GMT -6. The time now is 10:00 PM.

© 2005-2019, Advameg, Inc. · Please obey Forum Rules · Terms of Use and Privacy Policy · Bug Bounty

City-Data.com - Archive 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35 - Top