1993-10-27 - Re: Security of PGP private keys

Header Data

From: dmandl@lehman.com (David Mandl)
To: jrk@sys.uea.ac.uk
Message Hash: 4b6e1b0b766e358d7bf1e7ca43c2e03a3ca60b90e1f63134f71c199231b21803
Message ID: <9310271518.AA03375@disvnm2.lehman.com>
Reply To: N/A
UTC Datetime: 1993-10-27 15:52:41 UTC
Raw Date: Wed, 27 Oct 93 08:52:41 PDT

Raw message

From: dmandl@lehman.com (David Mandl)
Date: Wed, 27 Oct 93 08:52:41 PDT
To: jrk@sys.uea.ac.uk
Subject: Re: Security of PGP private keys
Message-ID: <9310271518.AA03375@disvnm2.lehman.com>
MIME-Version: 1.0
Content-Type: text/plain


> From: jrk@sys.uea.ac.uk (Richard Kennaway)
> 
> PGP secret keys are protected by a password.  Yet people have said that one
> should not keep one's secret keyring on an insecure machine.  Why?
> 
> --                                  ____
> Richard Kennaway                  __\_ /    School of Information Systems
> Internet:  jrk@sys.uea.ac.uk      \  X/     University of East Anglia
> uucp:  ...mcsun!ukc!uea-sys!jrk    \/       Norwich NR4 7TJ, U.K.


1. Why take chances?  Once the evil intruder has the file, she can throw
test passwords at it from now till doomsday and might be able to crack it.

2. On shared machines, there are ways for users with the appropriate access
to read your keystrokes (like, for example, when you type in your pass phrase).
Anyone with that access should also be able to grab your secring.pgp with no
problem, and that's that.

   --Dave.





Thread