Pages:
Author

Topic: Sending REALLY sensitive information - page 2. (Read 3491 times)

legendary
Activity: 1512
Merit: 1049
Death to enemies!
March 27, 2013, 07:44:22 AM
#28
https://www.readthenburn.com seems like a relatively ok option if you're dealing with someone that won't be bothered to learn how to use PGP. 
And who prevents the page from storing the message forever? Promise not to do so? I call it a trap! Set up such page, then wait for all sorts of secret and confidential information + IP addresses come in such as passwords and login data, links to child porn and so on.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
March 27, 2013, 04:11:49 AM
#27
This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Um, no, it's not. Learn some crypto before you talk about it.
A requests PGP key from B
C intercepts request
C gives A a PGP key aliased as B
A sends message encrypted with C's PGP key
C now reads message. B has no idea a request was even made.

That can only be done if
a) You don't verify messages over a different line of communication
OR
b) Your attacker has complete control over EVERY line of communication you have
which for very sensitive information, you can assume the attacker does. which means: meet in person, as real persons are hard to fake
legendary
Activity: 1400
Merit: 1005
March 26, 2013, 08:40:39 PM
#26
https://www.readthenburn.com seems like a relatively ok option if you're dealing with someone that won't be bothered to learn how to use PGP. 
Nice, interesting solution there.


This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Um, no, it's not. Learn some crypto before you talk about it.
A requests PGP key from B
C intercepts request
C gives A a PGP key aliased as B
A sends message encrypted with C's PGP key
C now reads message. B has no idea a request was even made.

That can only be done if
a) You don't verify messages over a different line of communication
OR
b) Your attacker has complete control over EVERY line of communication you have
Agreed.
legendary
Activity: 1610
Merit: 1004
March 26, 2013, 08:00:47 PM
#25
https://www.readthenburn.com seems like a relatively ok option if you're dealing with someone that won't be bothered to learn how to use PGP. 
legendary
Activity: 1512
Merit: 1049
Death to enemies!
March 26, 2013, 05:59:01 PM
#24
Invent your own language.
Not safe at all. Languages all have common traits that distinguish them from random garbage. I don't remember exactly but something to do with statistics and occurrence of words. If adversary can crack PGP then also it can guess the private key spelled by HEX in invented language.
hero member
Activity: 728
Merit: 500
March 26, 2013, 05:54:55 PM
#23
Invent your own language.
legendary
Activity: 1512
Merit: 1049
Death to enemies!
March 26, 2013, 05:37:52 PM
#22
Quote
Would there be a way for someone to MITM communications in such a way that the receiver of the information still gets it and doesn't know that it is compromised?
The both parties engaged in encrypted communication must compare the fingerprints of public keys using some other channel. Such as phone call or in-person meeting. If the messages goes trough but the key fingerprints does not match, there is women in middle attack (threesome) happening.

The one time pad and picture of cat is problem because of non-randomness of random data and the random material can be easily intercepted. It is cumbersome to practical use and that's why key exchange protocols are used to establish connection.
legendary
Activity: 1400
Merit: 1005
March 26, 2013, 05:25:25 PM
#21
This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Um, no, it's not. Learn some crypto before you talk about it.
A requests PGP key from B
C intercepts request
C gives A a PGP key aliased as B
A sends message encrypted with C's PGP key
C now reads message. B has no idea a request was even made.
legendary
Activity: 1400
Merit: 1005
March 26, 2013, 05:23:54 PM
#20
This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack
Hmmm, good point.  Would there be a way for someone to MITM communications in such a way that the receiver of the information still gets it and doesn't know that it is compromised?

Obviously, the key is getting the correct Bitmessage address for a particular person, but I've heard that Bitmessage addresses can be generated from Bitcoin addresses?  That might be one way to prove ownership of a particular address.

This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

if you're familiar with the voice of the person, I think it's pretty safe to transmit the public key via phone after having a conversation about the weather.
Good point as well...

Send the person a picture of a cat to use as a one time pad.   Grin

Mail them a CD with the picture of the cat that you take yourself.  Email the OTP encrypted file.  

I'm being a little silly this is probably overkill.  
LOL.

What about just mailing a password (plaintext), and then emailing a .rar encrypted file?  I don't know what OTP is or how a cat picture could be used as a pad, and yes, that might be overkill for my purposes anyway.  Tongue
legendary
Activity: 1512
Merit: 1049
Death to enemies!
March 26, 2013, 05:08:20 PM
#19
TorChat is out-of-box solution that cannot be compromised unless Tor asymmetric encryption is totally broken or one of boxes are compromised.
sr. member
Activity: 374
Merit: 250
Tune in to Neocash Radio
March 26, 2013, 05:02:27 PM
#18
Send the person a picture of a cat to use as a one time pad.   Grin

Mail them a CD with the picture of the cat that you take yourself.  Email the OTP encrypted file. 

I'm being a little silly this is probably overkill. 
donator
Activity: 2772
Merit: 1019
March 26, 2013, 04:58:46 PM
#17
This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

if you're familiar with the voice of the person, I think it's pretty safe to transmit the public key via phone after having a conversation about the weather.

legendary
Activity: 1358
Merit: 1002
legendary
Activity: 1050
Merit: 1000
You are WRONG!
March 26, 2013, 04:33:15 PM
#15
This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack
legendary
Activity: 1400
Merit: 1005
March 26, 2013, 04:29:46 PM
#14
Screw GPG, it doesn't allow long enough keys for paranoid people. Have your friend generate a 16,384 bit RSA keypair with openssl, encrypt it with the public key, and send it off.
I like it.  Cheesy
member
Activity: 81
Merit: 1002
It was only the wind.
March 26, 2013, 03:42:07 PM
#14
Screw GPG, it doesn't allow long enough keys for paranoid people. Have your friend generate a 16,384 bit RSA keypair with openssl, encrypt it with the public key, and send it off.
legendary
Activity: 1540
Merit: 1000
March 26, 2013, 12:55:00 PM
#13
Just send them a letter with a seal.

You should also make sure they burn it after they read it otherwise someone might pick it up in the bin.
legendary
Activity: 1400
Merit: 1005
March 26, 2013, 12:52:55 PM
#12
Give it to them in person.

^^this^^
Assume they live across the globe and it is not possible.
legendary
Activity: 1330
Merit: 1000
Bitcoin
March 26, 2013, 12:38:22 PM
#11
Give it to them in person.

^^this^^
legendary
Activity: 1400
Merit: 1005
March 26, 2013, 12:17:44 PM
#10
PGP encrypted mail
OTR encrypted IM chat
TorChat

The list can go on.
Let's keep it to options where we don't have to be online at the same time... but thanks for the suggestions!
Pages:
Jump to: