Re: Is YellowCrypt OK?

From: simon (ablv-ccop_at_spamex.com)
Date: 07/13/05


Date: 13 Jul 2005 00:18:55 -0700

Gregory G Rose schrieb:

> Suppose there's an undercover worker in a
> dangerous place, and she gets a piece of email
> with an attachment (or whatever) that claims to
> be content encrypted with Yellowcrypt (or
> something else, it doesn't matter). She opens
> this email by clicking on the attachment, or
> running the javascript, or whatever. There is
> nothing cryptographic preinstalled on her
> computer.
>
> Given that what she has received has come through
> the hostile government to get to her, how can
> Yellowcrypt (or anything else) guarantee the
> security of the contents and the safety of the
> recipient? It could be a totally hostile message
> that installs a trojan horse on her computer and
> emails her password back to the government.
>
> So, please explain how your product guarantees
> this worker's safety.

Well, just for starters, PGP cannot solve this problem at all. The act
of having PGP on his system would already put the undercover worker
straight into jail. The same would hold for encrypting his disk.

Again, you have not read the documentation on the YellowCrypt Web site,
let alone tried the program.

The fact is, that no matter what is sent to the undercover worker as a
faked attachment, the on-line YellowCrypt read&reply program will not
be able to open it unless it is an authentic YellowCrypt message. The
latter includes the ID of the sender. This ID is part of the
registration process. The activation code which produces the ID is - of
course - encrypted. And then there is still the message password issue.
In practice the evil power would have to take over the system of a
different underground worker and force the possesor to reveal his
password. From then on the evil power could pretend to be the captured
agent.

Of course in the case of PGP the same holds true. If I take over the
PGP PC I might not even need to know any PGP connected passwords for
the keystore. All I have to do is crack the Windows password - in about
2 seconds - and with a bit of luck, all the rest will be done fully
automatically. That is the authentification will be correct and the
e-mail will be encryted automatically, unless set up otherwise.

This is not the case with YellowCrypt. The password has to be keyed in
manually.

On the other hand if PGP was set up properly - i.e. with nothing
running automatically - it will achieve the same security as is offered
by YellowCrypt for the case in question.

Simon



Relevant Pages

  • NTFS and PGP interact to expose EFS encrypted data
    ... NTFS and PGP interact to expose EFS encrypted data ... As explorer works it's way through the file system encrypting the ... The permissions on the temp file are set to a very ... Do not enable PGP's Wipe Deleted Files option if you are using ...
    (NT-Bugtraq)
  • NTFS and PGP interact to expose EFS encrypted data
    ... NTFS and PGP interact to expose EFS encrypted data ... As explorer works it's way through the file system encrypting the ... The permissions on the temp file are set to a very ... Do not enable PGP's Wipe Deleted Files option if you are using ...
    (Bugtraq)
  • Re: Hifn 7955/7956 crypto accelerator questions
    ... Assuming two FreeBSD computers with crypto accelerators are ... It all depends on your CPU and your algorithm. ... PGP mostly uses an asymmetric cypher encrypted using RSA or DSA because ... symmetric key and encrypting it, but for large files the cost would be ...
    (freebsd-current)
  • Re: PGP
    ... Subject: PGP ... > encrypting an email with PGP, then providing the key to decrypt it is ... Anyone can use that key to decrypt the email. ... Only the recipient's private key (which is not [and should not ...
    (Security-Basics)
  • Re: Where to store id/password on the net?
    ... > I would recommend using a plain text file and encrypting it ... > Your only problem then is computers without PGP installed. ... I agree that a USB key is a good solution, and that if I encrypt my ... my small personal site, something just like ...
    (comp.security.misc)