HackDig : Dig high-quality web security articles for hacker

Cryptkeeper Bug

2017-02-07 21:10

The Linux encryption app Cryptkeeper has a rather stunning security bug: the single-character decryption key "p" decrypts everything:

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress -- instead, it sets passwords for folders to just that letter.

In 2013, I wrote an essay about how an organization might go about designing a perfect backdoor. This one seems much more like a bad mistake than deliberate action. It's just too dumb, and too obvious. If anyone actually used Cryptkeeper, it would have been discovered long ago.


Source: 69901.2//golb/:7102,moc.reienhcs.www:gat

Read:3388 | Comments:0 | Tags:No Tag

“Cryptkeeper Bug”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud