Sending REALLY sensitive information - page 2.

MysteryMiner

legendary

Activity: 1470

Merit: 1029

Show middle finger to system and then destroy it!

Quote from: saddambitcoin on March 26, 2013, 09:00:47 PM

https://www.readthenburn.com seems like a relatively ok option if you're dealing with someone that won't be bothered to learn how to use PGP.

And who prevents the page from storing the message forever? Promise not to do so? I call it a trap! Set up such page, then wait for all sorts of secret and confidential information + IP addresses come in such as passwords and login data, links to child porn and so on.

kokjo

legendary

Activity: 1050

Merit: 1000

You are WRONG!

Quote from: ?? on ??

Quote from: SgtSpike on March 26, 2013, 06:25:25 PM

Quote from: ?? on ??

Quote from: kokjo on March 26, 2013, 05:33:15 PM

This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Um, no, it's not. Learn some crypto before you talk about it.

A requests PGP key from B
C intercepts request
C gives A a PGP key aliased as B
A sends message encrypted with C's PGP key
C now reads message. B has no idea a request was even made.

That can only be done if
a) You don't verify messages over a different line of communication
OR
b) Your attacker has complete control over EVERY line of communication you have

which for very sensitive information, you can assume the attacker does. which means: meet in person, as real persons are hard to fake

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: saddambitcoin on March 26, 2013, 09:00:47 PM

https://www.readthenburn.com seems like a relatively ok option if you're dealing with someone that won't be bothered to learn how to use PGP.

Nice, interesting solution there.

Quote from: ?? on ??

Quote from: SgtSpike on March 26, 2013, 06:25:25 PM

Quote from: ?? on ??

Quote from: kokjo on March 26, 2013, 05:33:15 PM

This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Um, no, it's not. Learn some crypto before you talk about it.

A requests PGP key from B
C intercepts request
C gives A a PGP key aliased as B
A sends message encrypted with C's PGP key
C now reads message. B has no idea a request was even made.

That can only be done if
a) You don't verify messages over a different line of communication
OR
b) Your attacker has complete control over EVERY line of communication you have

Agreed.

saddambitcoin

legendary

Activity: 1610

Merit: 1004

https://www.readthenburn.com seems like a relatively ok option if you're dealing with someone that won't be bothered to learn how to use PGP.

MysteryMiner

legendary

Activity: 1470

Merit: 1029

Show middle finger to system and then destroy it!

Quote from: BIGMERVE on March 26, 2013, 06:54:55 PM

Invent your own language.

Not safe at all. Languages all have common traits that distinguish them from random garbage. I don't remember exactly but something to do with statistics and occurrence of words. If adversary can crack PGP then also it can guess the private key spelled by HEX in invented language.

BIGMERVE

hero member

Activity: 728

Merit: 500

Invent your own language.

MysteryMiner

legendary

Activity: 1470

Merit: 1029

Show middle finger to system and then destroy it!

Quote

Would there be a way for someone to MITM communications in such a way that the receiver of the information still gets it and doesn't know that it is compromised?

The both parties engaged in encrypted communication must compare the fingerprints of public keys using some other channel. Such as phone call or in-person meeting. If the messages goes trough but the key fingerprints does not match, there is women in middle attack (threesome) happening.

The one time pad and picture of cat is problem because of non-randomness of random data and the random material can be easily intercepted. It is cumbersome to practical use and that's why key exchange protocols are used to establish connection.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: ?? on ??

Quote from: kokjo on March 26, 2013, 05:33:15 PM

This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Um, no, it's not. Learn some crypto before you talk about it.

A requests PGP key from B
C intercepts request
C gives A a PGP key aliased as B
A sends message encrypted with C's PGP key
C now reads message. B has no idea a request was even made.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: kokjo on March 26, 2013, 05:33:15 PM

This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Hmmm, good point. Would there be a way for someone to MITM communications in such a way that the receiver of the information still gets it and doesn't know that it is compromised?

Quote from: Raoul Duke on March 26, 2013, 05:35:07 PM

https://bitmessage.org/wiki/Main_Page

Obviously, the key is getting the correct Bitmessage address for a particular person, but I've heard that Bitmessage addresses can be generated from Bitcoin addresses? That might be one way to prove ownership of a particular address.

Quote from: molecular on March 26, 2013, 05:58:46 PM

Quote from: kokjo on March 26, 2013, 05:33:15 PM

This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

if you're familiar with the voice of the person, I think it's pretty safe to transmit the public key via phone after having a conversation about the weather.

Good point as well...

Quote from: Rothgar on March 26, 2013, 06:02:27 PM

Send the person a picture of a cat to use as a one time pad. Grin

Mail them a CD with the picture of the cat that you take yourself. Email the OTP encrypted file.

I'm being a little silly this is probably overkill.

LOL.

What about just mailing a password (plaintext), and then emailing a .rar encrypted file? I don't know what OTP is or how a cat picture could be used as a pad, and yes, that might be overkill for my purposes anyway. Tongue

MysteryMiner

legendary

Activity: 1470

Merit: 1029

Show middle finger to system and then destroy it!

TorChat is out-of-box solution that cannot be compromised unless Tor asymmetric encryption is totally broken or one of boxes are compromised.

Rothgar

sr. member

Activity: 374

Merit: 250

Tune in to Neocash Radio

Send the person a picture of a cat to use as a one time pad. Grin

Mail them a CD with the picture of the cat that you take yourself. Email the OTP encrypted file.

I'm being a little silly this is probably overkill.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: kokjo on March 26, 2013, 05:33:15 PM

This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

if you're familiar with the voice of the person, I think it's pretty safe to transmit the public key via phone after having a conversation about the weather.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

https://bitmessage.org/wiki/Main_Page

kokjo

legendary

Activity: 1050

Merit: 1000

You are WRONG!

This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: Wolf0 on March 26, 2013, 04:42:07 PM

Screw GPG, it doesn't allow long enough keys for paranoid people. Have your friend generate a 16,384 bit RSA keypair with openssl, encrypt it with the public key, and send it off.

I like it. Cheesy

Wolf0

member

Activity: 81

Merit: 1002

It was only the wind.

Screw GPG, it doesn't allow long enough keys for paranoid people. Have your friend generate a 16,384 bit RSA keypair with openssl, encrypt it with the public key, and send it off.

Lethn

legendary

Activity: 1540

Merit: 1000