Privacy and passwords
Andrew Sackville-West
andrew at swclan.homelinux.org
Thu Mar 6 14:02:42 EST 2008
On Thu, Mar 06, 2008 at 12:48:57PM -0500, Mike or Penny Novack wrote:
>
> >>and cache the passphrase, or else prompt at every auto-save... and
> >>what about log files? one may want to encrypt custom reports and other
> >>bits of .gnucash or else you'll be providing strings that are
> >>guaranteed to be in the data file, which IIUC help in decryption
> >>efforts.
> >>
> >>
> >
> >It might help a known-plaintext attack of Actual Cryptanalysis™, but that's
> >almost never the way these things are broken. Getting the key from a
> >keylogger or memory, or subverting the library, or something far simpler.
> >
> >
> >
> This is an area where we amateurs tend to fare poorly. I know just
> enough to perhaps explain that any crypto method classified as ''strong"
> will resist known-plaintext attack. In any case, a system that is
> "cracked" with respect to known-plaintext attack is cracked by
> probable-plaintext attack with only a certain number of bits more
> complexity. Remember that the attacker doesn't need the entire text,
> just a short portion of it. Well once an encrypted "message" has been
> identified as a "GnuCash report" there is enough information for a
> probable-text attack (there just aren't that many different types of
> reports and each would have something known in the title portion -- for
> example, a "Balance Sheet" report contains the string "Balance").
>
> The point here is that the attacker (using a known-plaintext attack)
> already DOES know some strings guaranteed to be in a set of GnuCash
> books, yes?
well yes, but not the report names. more things like the xml tags
which are sprinkled liberally throughout the file. I suspect the large
number of occurennces of "split" and "txn" make those pretty likely
candidates for an attack.
But I tread where I know naught.
A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.gnucash.org/pipermail/gnucash-user/attachments/20080306/af4fc6ca/attachment.bin
More information about the gnucash-user
mailing list