Package: cryptcat Version: 20031202-4 Severity: wishlist Tags: upstream Dear Maintainer,
To generate it's 128bit Key cryptcat uses the generateKey twofish2.cc this function use only 4 Bit of every Character. If the password is to short cryptcat cycle the pw. If it has more then 32 Characters it throws the rest away. This isn't a problem if you use a random 32 characters long random password. But if the pw is short (short means up to around 16 random ISO-8859 characters) it's breakable. Since you can find a simple one which decrypts the traffic too. Same problem is if you use a really long password with low entropy. (which could be secure.) This should be at least mentioned in the man page. You can use cryptcat -k $(echo "[PASSWD]" | md5sum) … what would solve the problem. So cryptcat can be a useful tool, but you can misuse it really simple and you can only learn how to use it if you look at the source. I described the problem here with a vew examples: viewtopic.php?f=37&t=143408 (It's german but there are some tools which can trnslates this ;-)). greetings, wanne -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages cryptcat depends on: ii libc6 2.13-38 ii libgcc1 1:4.7.2-5 ii libstdc++6 4.7.2-5 cryptcat recommends no packages. cryptcat suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
