[Cialug] dual passphrase encryption

Colin Burnett cmlburnett at gmail.com
Fri Dec 7 23:05:20 CST 2007


On Dec 7, 2007 10:45 PM, Jeffrey Ollie <jeff at ocjtech.us> wrote:
>
> In fact the server should never even see the unencrypted data.  The
> server is your classic "man in the middle".  Compromise the server and
> all of your encryption is pointless.

The same argument goes for never doing online purchasing...or online
banking...or anything online of the like.  Just because your bank has
a Verisign CA signed HTTPS cert doesn't mean they haven't been
compromised.  Argue with Matthew's friend for wanting it, not my
solution for doing what his friend wants as I understand it.  Yes?  :)

And you're only half right.  The only data compromised is keys created
and messages accessed after being compromised.  Otherwise the server
wouldn't have the passphrases, ergo they wouldn't be able to get to
the plaintext data (that was in fact the point).


Colin


More information about the Cialug mailing list