cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1994-07-02 - The usefulness of PGP pass phrases

Header Data

From: rishab@dxm.ernet.in
To: andy@autodesk.com
Message Hash: 4699740fb9ea7cce9fbf54829fb6154cf520221bcedf8d36b9fe0bb38352196d
Message ID: <gate.78wuoc1w165w@dxm.ernet.in>
Reply To: N/A
UTC Datetime: 1994-07-02 14:15:53 UTC
Raw Date: Sat, 2 Jul 94 07:15:53 PDT

Raw message

From: rishab@dxm.ernet.in
Date: Sat, 2 Jul 94 07:15:53 PDT
To: andy@autodesk.com
Subject: The usefulness of PGP pass phrases
Message-ID: <gate.78wuoc1w165w@dxm.ernet.in>
MIME-Version: 1.0
Content-Type: text/plain


tcmay@netcom.com (Timothy C. May):
> > after you have entered the pass phrase, the secret key is available within 
> > your machine, and could be stolen, and if your OS leaves pagefiles etc
> > arounnd, might even be taken after you shut down PGP.
> > Or am I missing something? Thanks, Andy
> 
> I haven't seen a formal analysis of the strength of PGP if the secret
> key is known but the passphrase is still secure, but from conventional
> crypto we would assume that the search space would be greatly reduced.

The secret key is _encrypted_ with the passphrase. Strength of PGP with a
known secret keyFILE, not key, and unknown passphrase, is the strength of the
cipher used to encrypt the secret key with. In this case, the strength of IDEA.
Of course, your pass phrase is as susceptible to dictionary attack as your UNIX
password, and it would be easier to decrypt a message by decrypting through 
such attacks or brute force your keyfile, than to factor large numbers to get 
at your session key.

> You obviously can't do with just the paIn short, these are reasons to keep your secret key secret. Your
> passphrase alone may be insufficient (else why not just dispense with
> the secret key and just have a passphrase?).

RSA would have a tough time using a 11 char English phrase as an exponent ;-)

To quote from the PGP manual:

     PGP also asks for a "pass phrase" to protect your secret key in case
     it falls into the wrong hands.  
     Nobody can use your secret key file without this pass phrase.       
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

ps. as Tim correctly said, Jains don't like killing living things. They are 
Jains, not Jainists (followers of some hypothetical Mr. Jain?); the word comes 
from the Sanskrit for 'to overcome'.

     
-----------------------------------------------------------------------------
Rishab Aiyer Ghosh             "Clean the air! clean the sky! wash the wind!
rishab@dxm.ernet.in                   take stone from stone and wash them..."
Voice/Fax/Data +91 11 6853410  
Voicemail +91 11 3760335                 H 34C Saket, New Delhi 110017, INDIA

Thread