1994-07-08 - Re: FW: Physical storage of key is the weakest link

Header Data

From: lcottrell@popmail.ucsd.edu (Lance Cottrell)
To: cypherpunks@toad.com
Message Hash: 8cab513727c2b2bbcf1055a0a049eb0fba03529ef7b86c2910f638fe16428e36
Message ID: <199407080638.XAA11815@ucsd.edu>
Reply To: N/A
UTC Datetime: 1994-07-08 06:39:04 UTC
Raw Date: Thu, 7 Jul 94 23:39:04 PDT

Raw message

From: lcottrell@popmail.ucsd.edu (Lance Cottrell)
Date: Thu, 7 Jul 94 23:39:04 PDT
To: cypherpunks@toad.com
Subject: Re: FW: Physical storage of key is the weakest link
Message-ID: <199407080638.XAA11815@ucsd.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

chris.claborne@sandiegoca.ncr.com writes:
><< some suggestion to keep keys secure on floppy>>
>
><<Lance Cottrel writes:
>If your passphrase is good (128+ bits of entropy), then your private key is
>as secure as the messages that you send. Although it need be broken only
>once, I see no real danger of IDEA being compromised in the near future.
>Given a good passphrase, I would suggest that you want multiple copies of
>your key to prevent loss or accidental destruction. My passphrase is > 30
>characters. Fortunately Mac PGP remembers the key during any given session
>so typing is kept down a bit.
>>>
>
>If you are really paranoid, keeping your private keys super secure is a good 
>idea.  If a bad guy were come and steal them all she needs to do find out 
>your passphrase (using all kinds of attacks.... camera over your desk....) 
>and bingo, they can read all past and future message traffic to you...

There are two things to be paranoid about. One is that other people could
get access to your information. The other is that you might loose access to
your information and the ability to autheniticate yourself.

My personal comfort level is currently: having a few coppies of the secret
key which I keep physical control over,  only using PGP on my personal
computer, and protecting it with a very inconvinient passphrase. Should I
also mention that I keep the key, PGP, and all my other crypto stuff on an
encrypted partition?

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBLhz1+FVkk3dax7hlAQGNlgP9EYV7YWcLCeoNqGYJjZ46KcCglhB3zcpC
mu/e1Jr26GPDyKNQySEvVuGNAKKQs0Ep9K1HIUmTt5jaalMh+SE4eeNwfuTV3RtT
bsy32E0n7AwTMgOLNeA1jhkBFTxpCnT0lSTO/oKQecnukkkgtxlcl+7gzrs1yhn8
R+V4bZoukCc=
=W255
-----END PGP SIGNATURE-----

--------------------------------------------------
Lance Cottrell  who does not speak for CASS/UCSD
loki@nately.ucsd.edu
PGP 2.3 key available by finger or server.

"Love is a snowmobile racing across the tundra.  Suddenly
it flips over, pinning you underneath.  At night the ice
weasels come."
                        --Nietzsche







Thread