[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: public accounts / PGP / passphrases



-----BEGIN PGP SIGNED MESSAGE-----


> From [email protected]  Thu Dec  1 20:25:31 1994
> Date: Thu, 1 Dec 1994 21:18:55 -0500
> Subject: public accounts / PGP / passphrases
> To: [email protected]
> From: [email protected]
> X-Server-Version: Cactus-Serv 1.1
> Reply-To: [email protected]
> Sender: [email protected]
> Content-Length: 1705
> 

Rather than assume that the "Reply-To:" field shown above is appropriate,
I have Cc'ed your originating address as well.  So, if you get two copies
of this, you'll know why. 

> 
> Could someone please elaborate on the foolishness of using PGP with a 
> passphrase on a public machine (as I do) ?  Am I wrong in thinking that my
> secret key is useless to an intruder until she guesses my passphrase ?  I
> have no net access except via an account on a public machine, so I'm not
> about to start storing my secret key elsewhere, but I'll change my passphrase
> to <null> if it's irrelevant anyway.  I just reviewed the PGP docs a bit and
> Phil says "Nobody can use your secret key file without this pass phrase.",
> which seems to contradict what many people on the list have said.
>

Postulate an unscrupulous sysadmin (or anyone who manages to get the password
for 'root' via fair means or foul).  Let's call him Charlie (since we know
that neither Alice nor Bob would do such a thing :).  Charlie could easily
install a process which logs each keystroke you enter, thus capturing your
passphrase in said log.  Alternately, he could substitute a rogue version
of PGP for the real version.  This rogue version would function exactly like
the real version (to avoid suspicion on your part), but would surreptitiously
copy your secret key and passphrase into a log file.

Admittedly, this kind of attack is far-fetched.  As long as you are aware of
the possibility, you are free to assess the likelihood of such an attack and
proceed accordingly.


- --
Scott Collins            "Now, thanks to the computer revolution, many
Alcatel Network Systems   geeks make ten times as much money as you do."
Richardson, Texas                Canter & Siegel, the Green Card Lawyers


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQBFAwUBLt8tgyoZzwIn1bdtAQFxDAF/Vu1A4jQ5R0hW2OODcMMPCjeCFZG0aRvB
OJDeQZi5hBGAVjVk2QOeCZR//zWvp1lC
=Rpnk
-----END PGP SIGNATURE-----

[This message has been signed by an auto-signing service.
 A valid signature means only that it has been received at
 the address belonging to the signature and forwarded.]