[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Key Security Question



Bill Stewart <[email protected]> writes:

> >> My computer went into the shop a few days ago, and I was unable to take
> >> my PGP keys off it before it went in.  What are the security risks here?
> >> If the repairman chooses to snoop through the files, what would he be
> >> able to do with my key pair?  Will I need to revoke the key and make a
> >> new one, or will I be relatively safe since he doesn't have my
> >> passphrase?
>
> Passphrases are MD5-hashed into 128-bit IDEA keys and used to
> encrypt the secret key; there's a "pgpcrack" program out there
> that does dictionary-style searches to find if you've got
> wimpy passphrases.  So if your passphrases is "secret", you lose,
> but if it's "fjhw;doifvjuc-[09efiu v` 2	4rnhc;ljoipcvjpoiewujfgv;loik"
> you're probably pretty safe, unless that's written on the yellow
> sticky you left on the side of the PC.
>
> On the other hand, if the "repairman" replaced your pgp executable
> with version 2.6.3kgb, which uses your hashed passphrase as the
> session key, you're hosed.  Or if he installed a keystroke sniffer,
> or added a small radio transmitter to your keyboard, or whatever.
> Depends on your threat model.  If you need to be paranoid,
> they've already gotten you....

If you're really paranoid, you can boot from a clean floppy and
reinstall everything from your backup tapes. You do have a
contingency plan in case your hard disk goes bad, or gets a
virus, don't you? Well, if you're in doubt, exercise it.

---

<a href="mailto:[email protected]">Dr.Dimitri Vulis KOTM</a>
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps