1997-02-02 - Re: Key Security Question

Header Data

From: “Dr.Dimitri Vulis KOTM” <dlv@bwalk.dm.com>
To: cypherpunks@toad.com
Message Hash: 3faff6de1dfe09b9767b0e267c0d41d369e02d3d6c7a53e366caa41d7f88c0d0
Message ID: <199702020956.BAA16034@toad.com>
Reply To: N/A
UTC Datetime: 1997-02-02 09:56:27 UTC
Raw Date: Sun, 2 Feb 1997 01:56:27 -0800 (PST)

Raw message

From: "Dr.Dimitri Vulis KOTM" <dlv@bwalk.dm.com>
Date: Sun, 2 Feb 1997 01:56:27 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: Key Security Question
Message-ID: <199702020956.BAA16034@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


Bill Stewart <stewarts@ix.netcom.com> writes:

> >> My computer went into the shop a few days ago, and I was unable to take
> >> my PGP keys off it before it went in.  What are the security risks here?
> >> If the repairman chooses to snoop through the files, what would he be
> >> able to do with my key pair?  Will I need to revoke the key and make a
> >> new one, or will I be relatively safe since he doesn't have my
> >> passphrase?
>
> Passphrases are MD5-hashed into 128-bit IDEA keys and used to
> encrypt the secret key; there's a "pgpcrack" program out there
> that does dictionary-style searches to find if you've got
> wimpy passphrases.  So if your passphrases is "secret", you lose,
> but if it's "fjhw;doifvjuc-[09efiu v` 2	4rnhc;ljoipcvjpoiewujfgv;loik"
> you're probably pretty safe, unless that's written on the yellow
> sticky you left on the side of the PC.
>
> On the other hand, if the "repairman" replaced your pgp executable
> with version 2.6.3kgb, which uses your hashed passphrase as the
> session key, you're hosed.  Or if he installed a keystroke sniffer,
> or added a small radio transmitter to your keyboard, or whatever.
> Depends on your threat model.  If you need to be paranoid,
> they've already gotten you....

If you're really paranoid, you can boot from a clean floppy and
reinstall everything from your backup tapes. You do have a
contingency plan in case your hard disk goes bad, or gets a
virus, don't you? Well, if you're in doubt, exercise it.

---

Dr.Dimitri Vulis KOTM
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps






Thread