Home page logo

basics logo Security Basics mailing list archives

Re: Crypto Question
From: N407ER <n407er () myrealbox com>
Date: Sat, 15 Nov 2003 20:36:58 -0500

Hagen, Eric wrote:
In an assymetric cypher (e.g. PGP) you can take steps to protect your
private key (such as keeping it encrypted in a "conventional" encrypted
archive or hidden somewhere).  That can mitigate the risk of having a weak
passphrase, but it's no reliable subtitute.  If your data is in jeopardy,
destroying the private key makes the archive inaccessable except through
brute-force cypher cracking methods.

But, generally, yes.  Dictionary attacks on the passphrase are one of the
only reasonable recourses for someone trying to hack a high-security modern
encryption protocol.

Eric Hagen

If I'm not mistaken, though, the passphrase on the PGP private key is simply a bit of symmetric-key encryption to help protect your private key in the event that the key itself is compromized. But if you've got your key secured on, say, a CD in a locked drawer, and you send an e-mail encrypted with that key, the passphrase (or lack) is irrelevent; an attacker would still have to break the RSA encryption, of which the only current known mean is bruteforce. The passphrase really only comes into play if your private key is compromized; e.g. the attacker breaks into your system and steals your key. Am I incorrect in this assumption? I've never really looked at the internal workings of PGP (but I was under the impression its fairly stock RSA).


The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]