Privacy and passwords

Mike or Penny Novack stepbystepfarm at mtdata.com
Thu Mar 6 12:48:57 EST 2008


>>and cache the passphrase, or else prompt at every auto-save... and
>>what about log files? one may want to encrypt custom reports and other
>>bits of .gnucash or else you'll be providing strings that are
>>guaranteed to be in the data file, which IIUC help in decryption
>>efforts.
>>    
>>
>
>It might help a known-plaintext attack of Actual Cryptanalysis™, but that's
>almost never the way these things are broken.  Getting the key from a
>keylogger or memory, or subverting the library, or something far simpler.
>
>  
>
This is an area where we amateurs tend to fare poorly. I know just 
enough to perhaps explain that any crypto method classified as ''strong" 
will resist known-plaintext attack. In any case, a system that is 
"cracked" with respect to known-plaintext attack is cracked by 
probable-plaintext attack with only a certain number of bits more 
complexity. Remember that the attacker doesn't need the entire text, 
just a short portion of it. Well once an encrypted "message" has been 
identified as a "GnuCash report" there is enough information for a 
probable-text attack (there just aren't that many different types of 
reports and each would have something known in the title portion -- for 
example, a "Balance Sheet" report contains the string "Balance").

The point here is that the attacker (using a known-plaintext attack) 
already DOES know some strings guaranteed to be in a set of GnuCash 
books, yes?

Michael


More information about the gnucash-user mailing list