Re: Crypto Question

[N407ER <n407er () myrealbox com>]

Hagen, Eric wrote:
> In an assymetric cypher (e.g. PGP) you can take steps to protect your
> private key (such as keeping it encrypted in a "conventional" encrypted
> archive or hidden somewhere).  That can mitigate the risk of having a weak
> passphrase, but it's no reliable subtitute.  If your data is in jeopardy,
> destroying the private key makes the archive inaccessable except through
> brute-force cypher cracking methods.
>
> But, generally, yes.  Dictionary attacks on the passphrase are one of the
> only reasonable recourses for someone trying to hack a high-security modern
> encryption protocol.
>
> Eric Hagen

If I'm not mistaken, though, the passphrase on the PGP private key is 
simply a bit of symmetric-key encryption to help protect your private 
key in the event that the key itself is compromized. But if you've got 
your key secured on, say, a CD in a locked drawer, and you send an 
e-mail encrypted with that key, the passphrase (or lack) is irrelevent; 
an attacker would still have to break the RSA encryption, of which the 
only current known mean is bruteforce. The passphrase really only comes 
into play if your private key is compromized; e.g. the attacker breaks 
into your system and steals your key. Am I incorrect in this assumption? 
I've never really looked at the internal workings of PGP (but I was 
under the impression its fairly stock RSA).

Cheers.






---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------