[URGENT] tinc has a security hole of about 50 million km^2
Guus Sliepen
guus at sliepen.warande.net
Tue Aug 29 10:47:42 CEST 2000
On Sun, 27 Aug 2000, Ivo Timmermans wrote:
> Sending your passphrase encrypted is all fine, but tinc sends the key
> with which it was encrypted about a second later...
I think you worried too much, but I might be wrong on the following
explanation, so please read it carefully:
Tinc generates a public/private key pair on startup. It encrypts it's own
passphrase with it's public key. This means, that only one with the
corresponding private key can decrypt that. The other side however, if he
also has a copy of your passphrase, can VERIFY the passphrase by
encrypting it with the public key you send later. You cannot decrypt it
though, so neither the other endpoint nor a man in the middle can decypher
our passphrase if they do not already have it in plaintext.
The order in which the passphrases and the keys are sent do not matter.
-------------------------------------------
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.warande.net>
-------------------------------------------
See also: http://tinc.nl.linux.org/
http://www.kernelbench.org/
-------------------------------------------
---
TINC development list, tinc-devel at nl.linux.org
Archive: http://mail.nl.linux.org/tinc-devel/
More information about the Tinc-devel
mailing list