1994-12-02 - Re: public accounts / PGP / passphrases

Header Data

From: collsc@snowbird.aud.alcatel.com
To: cypherpunks@toad.com
Message Hash: ac60c76e6586cb6ae4f6447df5affeaba36d549ddb0d3368b7550b6501cf605b
Message ID: <199412021422.JAA13606@bb.hks.net>
Reply To: N/A
UTC Datetime: 1994-12-02 14:17:26 UTC
Raw Date: Fri, 2 Dec 94 06:17:26 PST

Raw message

From: collsc@snowbird.aud.alcatel.com
Date: Fri, 2 Dec 94 06:17:26 PST
To: cypherpunks@toad.com
Subject: Re: public accounts / PGP / passphrases
Message-ID: <199412021422.JAA13606@bb.hks.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----


> From owner-cypherpunks@toad.com  Thu Dec  1 20:25:31 1994
> Date: Thu, 1 Dec 1994 21:18:55 -0500
> Subject: public accounts / PGP / passphrases
> To: cypherpunks@toad.com
> From: lmccarth@ducie.cs.umass.edu
> X-Server-Version: Cactus-Serv 1.1
> Reply-To: cypherpunks@bb.hks.net
> Sender: owner-cypherpunks@toad.com
> Content-Length: 1705
> 

Rather than assume that the "Reply-To:" field shown above is appropriate,
I have Cc'ed your originating address as well.  So, if you get two copies
of this, you'll know why. 

> 
> Could someone please elaborate on the foolishness of using PGP with a 
> passphrase on a public machine (as I do) ?  Am I wrong in thinking that my
> secret key is useless to an intruder until she guesses my passphrase ?  I
> have no net access except via an account on a public machine, so I'm not
> about to start storing my secret key elsewhere, but I'll change my passphrase
> to <null> if it's irrelevant anyway.  I just reviewed the PGP docs a bit and
> Phil says "Nobody can use your secret key file without this pass phrase.",
> which seems to contradict what many people on the list have said.
>

Postulate an unscrupulous sysadmin (or anyone who manages to get the password
for 'root' via fair means or foul).  Let's call him Charlie (since we know
that neither Alice nor Bob would do such a thing :).  Charlie could easily
install a process which logs each keystroke you enter, thus capturing your
passphrase in said log.  Alternately, he could substitute a rogue version
of PGP for the real version.  This rogue version would function exactly like
the real version (to avoid suspicion on your part), but would surreptitiously
copy your secret key and passphrase into a log file.

Admittedly, this kind of attack is far-fetched.  As long as you are aware of
the possibility, you are free to assess the likelihood of such an attack and
proceed accordingly.


- --
Scott Collins            "Now, thanks to the computer revolution, many
Alcatel Network Systems   geeks make ten times as much money as you do."
Richardson, Texas                Canter & Siegel, the Green Card Lawyers


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQBFAwUBLt8tgyoZzwIn1bdtAQFxDAF/Vu1A4jQ5R0hW2OODcMMPCjeCFZG0aRvB
OJDeQZi5hBGAVjVk2QOeCZR//zWvp1lC
=Rpnk
-----END PGP SIGNATURE-----

[This message has been signed by an auto-signing service.
 A valid signature means only that it has been received at
 the address belonging to the signature and forwarded.]






Thread