Security Basics mailing list archives
Re: Crypto Question
From: N407ER <n407er () myrealbox com>
Date: Sat, 15 Nov 2003 20:36:58 -0500
Hagen, Eric wrote:
In an assymetric cypher (e.g. PGP) you can take steps to protect your private key (such as keeping it encrypted in a "conventional" encrypted archive or hidden somewhere). That can mitigate the risk of having a weak passphrase, but it's no reliable subtitute. If your data is in jeopardy, destroying the private key makes the archive inaccessable except through brute-force cypher cracking methods. But, generally, yes. Dictionary attacks on the passphrase are one of the only reasonable recourses for someone trying to hack a high-security modern encryption protocol. Eric Hagen
If I'm not mistaken, though, the passphrase on the PGP private key is simply a bit of symmetric-key encryption to help protect your private key in the event that the key itself is compromized. But if you've got your key secured on, say, a CD in a locked drawer, and you send an e-mail encrypted with that key, the passphrase (or lack) is irrelevent; an attacker would still have to break the RSA encryption, of which the only current known mean is bruteforce. The passphrase really only comes into play if your private key is compromized; e.g. the attacker breaks into your system and steals your key. Am I incorrect in this assumption? I've never really looked at the internal workings of PGP (but I was under the impression its fairly stock RSA).
Cheers. --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re: Crypto Question, (continued)
- Re: Crypto Question Francisco Andrades (Nov 07)
- Re: Crypto Question Francisco Andrades (Nov 07)
- Re: Crypto Question Wu Fei Liang (Nov 07)
- Re: Crypto Question Adam Newhard (Nov 07)
- Re: Crypto Question Tomas Wolf (Nov 10)
- Re: Crypto Question Philip Duldig (Nov 11)
- Re: Crypto Question Mitchell Rowton (Nov 17)
- Re: Crypto Question Florian Streck (Nov 17)
- RE: Crypto Question Hagen, Eric (Nov 07)
- RE: Crypto Question Hagen, Eric (Nov 07)
- Re: Crypto Question N407ER (Nov 17)
- RE: Crypto Question Kenneth Buchanan (Nov 07)
- Re[2]: Crypto Question Vishal (Nov 17)
- Re: Crypto Question Chris Berry (Nov 17)