[URGENT] tinc has a security hole of about 50 million km^2
Ivo Timmermans
zarq at spark.icicle.yi.org
Tue Aug 29 19:34:25 CEST 2000
Guus Sliepen wrote:
> On Sun, 27 Aug 2000, Ivo Timmermans wrote:
>
> > Sending your passphrase encrypted is all fine, but tinc sends the key
> > with which it was encrypted about a second later...
>
> I think you worried too much, but I might be wrong on the following
> explanation, so please read it carefully:
>
> Tinc generates a public/private key pair on startup. It encrypts it's own
> passphrase with it's public key. This means, that only one with the
> corresponding private key can decrypt that. The other side however, if he
> also has a copy of your passphrase, can VERIFY the passphrase by
> encrypting it with the public key you send later. You cannot decrypt it
> though, so neither the other endpoint nor a man in the middle can decypher
> our passphrase if they do not already have it in plaintext.
Blowfish is symmetric. Encryption key equals Decryption key.
--
Ivo Timmermans
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc-devel/attachments/20000829/2fe8a612/attachment.pgp
More information about the Tinc-devel
mailing list