Privacy and passwords
Mike or Penny Novack
stepbystepfarm at mtdata.com
Thu Mar 6 12:48:57 EST 2008
>>and cache the passphrase, or else prompt at every auto-save... and
>>what about log files? one may want to encrypt custom reports and other
>>bits of .gnucash or else you'll be providing strings that are
>>guaranteed to be in the data file, which IIUC help in decryption
>>efforts.
>>
>>
>
>It might help a known-plaintext attack of Actual Cryptanalysis™, but that's
>almost never the way these things are broken. Getting the key from a
>keylogger or memory, or subverting the library, or something far simpler.
>
>
>
This is an area where we amateurs tend to fare poorly. I know just
enough to perhaps explain that any crypto method classified as ''strong"
will resist known-plaintext attack. In any case, a system that is
"cracked" with respect to known-plaintext attack is cracked by
probable-plaintext attack with only a certain number of bits more
complexity. Remember that the attacker doesn't need the entire text,
just a short portion of it. Well once an encrypted "message" has been
identified as a "GnuCash report" there is enough information for a
probable-text attack (there just aren't that many different types of
reports and each would have something known in the title portion -- for
example, a "Balance Sheet" report contains the string "Balance").
The point here is that the attacker (using a known-plaintext attack)
already DOES know some strings guaranteed to be in a set of GnuCash
books, yes?
Michael
More information about the gnucash-user
mailing list