[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The usefulness of PGP pass phrases

To: [email protected], [email protected], [email protected]
Subject: The usefulness of PGP pass phrases
From: [email protected]
Date: Sat, 02 Jul 94 18:20:05 +0530
Sender: [email protected]

[email protected] (Timothy C. May):
> > after you have entered the pass phrase, the secret key is available within 
> > your machine, and could be stolen, and if your OS leaves pagefiles etc
> > arounnd, might even be taken after you shut down PGP.
> > Or am I missing something? Thanks, Andy
> 
> I haven't seen a formal analysis of the strength of PGP if the secret
> key is known but the passphrase is still secure, but from conventional
> crypto we would assume that the search space would be greatly reduced.

The secret key is _encrypted_ with the passphrase. Strength of PGP with a
known secret keyFILE, not key, and unknown passphrase, is the strength of the
cipher used to encrypt the secret key with. In this case, the strength of IDEA.
Of course, your pass phrase is as susceptible to dictionary attack as your UNIX
password, and it would be easier to decrypt a message by decrypting through 
such attacks or brute force your keyfile, than to factor large numbers to get 
at your session key.

> You obviously can't do with just the paIn short, these are reasons to keep your secret key secret. Your
> passphrase alone may be insufficient (else why not just dispense with
> the secret key and just have a passphrase?).

RSA would have a tough time using a 11 char English phrase as an exponent ;-)

To quote from the PGP manual:

     PGP also asks for a "pass phrase" to protect your secret key in case
     it falls into the wrong hands.  
     Nobody can use your secret key file without this pass phrase.       
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

ps. as Tim correctly said, Jains don't like killing living things. They are 
Jains, not Jainists (followers of some hypothetical Mr. Jain?); the word comes 
from the Sanskrit for 'to overcome'.

     
-----------------------------------------------------------------------------
Rishab Aiyer Ghosh             "Clean the air! clean the sky! wash the wind!
[email protected]                   take stone from stone and wash them..."
Voice/Fax/Data +91 11 6853410  
Voicemail +91 11 3760335                 H 34C Saket, New Delhi 110017, INDIA

Prev by Date: Cypherpunks of the world unite!
Next by Date: IS IT POSSIBLE?
Prev by thread: Re: Cypherpunks of the world unite!
Next by thread: IS IT POSSIBLE?
Index(es):
- Date
- Thread