[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security of PGP if Secret Key Available?



-----BEGIN PGP SIGNED MESSAGE-----

At 02.36 AM 6/3/96 -0500, Robert A. Hayden wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>
>About once a week we get some lame-o flame bait posted to 
>alt.security.pgp or this mailing list or somewhere abotu some hole in 
>PGP.  We further say with fairly good reliability that they are bogus, 
>get a light chuckle, and then go back to dealing with the real issues.
>
>However, I got to wondering about the security of PGP assuming somebody 
>trying to read my PGPed stuff has my 1024-bit secret key.  ie, if I have 
>it on my personal computer, and somebody gets my secret key, how much 
>less robust has PGP just become, and what are appropriate and reasonable 
>steps to take to protect this weakness?
>
>Thanks
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>Comment: PGP Signed with PineSign 2.2
>
>iQCVAwUBMbJ5xTokqlyVGmCFAQGcAgQAvjFdZ+YLdQGxDHcT+GOwP82BSwiTYlaQ
>F9RV8L+radCK/SyeLnEtoodkKVqpcsItIQ/JJ44FOAmnsBLljuWqbhZMl8G8+uCB
>pcpkXpre83CwoM6qDKkCEyqCiMxq857ioCoqb+WRNJYbb++muVBDHADVzGoGOjLg
>cvIMxnnXF3c=
>=tnTb
>-----END PGP SIGNATURE-----

Once your secret key has been compromised, then all that prevents a Bad Guy
from reading your message is your secret key passphrase. (I believe that,
aside from grabbing keystrokes a la TEMPEST, the only way to get this passphrase
is by brute-forcing it, or maybe searching your house for the little piece
of paper that you may have written it on.) I have seen equations which claim
to compute the security of your passphrase and also passphrase generators - 
I don't know if either are any good, though.

- -------------------------------------------------------------------------------
David Rosoff (nihongo o chiisaku dekimasu)                  [email protected]
For PGP key 0xD37692F9, finger [email protected] or get from keyservers
pub  1024/D37692F9 1995/07/01 David Rosoff <[email protected]>
          Key fingerprint =  25 7D AA 01 85 41 43 89  50 5A 33 76 F1 F1 99 67
I accept anonymous mail. If I didn't sign it, you don't know I wrote it.
- ---
"Made weak by time and fate, but strong in will / To strive, to seek, to find--
and not to yield." ----- "Ulysses", by Alfred, Lord Tennyson


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMbTCmBguzHDTdpL5AQEH4gP/TT3myaSislU3En4xwaB2cWmYhCItlhL/
nhLZM4uxOHv87zsHjYIBrHEHxVHnYOaH/Kd7zSRPRB0ArTDIMP/ZtYISMUNhfSd2
bX+LNdASX9rbiD1Vfcvb/vw6nKlfvdz2WoeeTE/yqSeHjnE7+izEX4Xi/9mHB4s/
N9DDK16kgi4=
=snQo
-----END PGP SIGNATURE-----