From: David Rosoff <drosoff@arc.unm.edu>
To: “Robert A. Hayden” <cypherpunks@toad.com>
Message Hash: 34b247f3c686ce29aad4365f42777d4a10fb133c0e8e01cba59b354ef5f5c9da
Message ID: <1.5.4.16.19960605000219.3a8734e2@arc.unm.edu>
Reply To: N/A
UTC Datetime: 1996-06-05 09:07:01 UTC
Raw Date: Wed, 5 Jun 1996 17:07:01 +0800
From: David Rosoff <drosoff@arc.unm.edu>
Date: Wed, 5 Jun 1996 17:07:01 +0800
To: "Robert A. Hayden" <cypherpunks@toad.com>
Subject: Re: Security of PGP if Secret Key Available?
Message-ID: <1.5.4.16.19960605000219.3a8734e2@arc.unm.edu>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
At 02.36 AM 6/3/96 -0500, Robert A. Hayden wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>About once a week we get some lame-o flame bait posted to
>alt.security.pgp or this mailing list or somewhere abotu some hole in
>PGP. We further say with fairly good reliability that they are bogus,
>get a light chuckle, and then go back to dealing with the real issues.
>
>However, I got to wondering about the security of PGP assuming somebody
>trying to read my PGPed stuff has my 1024-bit secret key. ie, if I have
>it on my personal computer, and somebody gets my secret key, how much
>less robust has PGP just become, and what are appropriate and reasonable
>steps to take to protect this weakness?
>
>Thanks
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>Comment: PGP Signed with PineSign 2.2
>
>iQCVAwUBMbJ5xTokqlyVGmCFAQGcAgQAvjFdZ+YLdQGxDHcT+GOwP82BSwiTYlaQ
>F9RV8L+radCK/SyeLnEtoodkKVqpcsItIQ/JJ44FOAmnsBLljuWqbhZMl8G8+uCB
>pcpkXpre83CwoM6qDKkCEyqCiMxq857ioCoqb+WRNJYbb++muVBDHADVzGoGOjLg
>cvIMxnnXF3c=
>=tnTb
>-----END PGP SIGNATURE-----
Once your secret key has been compromised, then all that prevents a Bad Guy
from reading your message is your secret key passphrase. (I believe that,
aside from grabbing keystrokes a la TEMPEST, the only way to get this passphrase
is by brute-forcing it, or maybe searching your house for the little piece
of paper that you may have written it on.) I have seen equations which claim
to compute the security of your passphrase and also passphrase generators -
I don't know if either are any good, though.
- -------------------------------------------------------------------------------
David Rosoff (nihongo o chiisaku dekimasu) drosoff@arc.unm.edu
For PGP key 0xD37692F9, finger drosoff@acoma.arc.unm.edu or get from keyservers
pub 1024/D37692F9 1995/07/01 David Rosoff <drosoff@arc.unm.edu>
Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67
I accept anonymous mail. If I didn't sign it, you don't know I wrote it.
- ---
"Made weak by time and fate, but strong in will / To strive, to seek, to find--
and not to yield." ----- "Ulysses", by Alfred, Lord Tennyson
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMbTCmBguzHDTdpL5AQEH4gP/TT3myaSislU3En4xwaB2cWmYhCItlhL/
nhLZM4uxOHv87zsHjYIBrHEHxVHnYOaH/Kd7zSRPRB0ArTDIMP/ZtYISMUNhfSd2
bX+LNdASX9rbiD1Vfcvb/vw6nKlfvdz2WoeeTE/yqSeHjnE7+izEX4Xi/9mHB4s/
N9DDK16kgi4=
=snQo
-----END PGP SIGNATURE-----
Return to June 1996
Return to “David Rosoff <drosoff@arc.unm.edu>”
1996-06-05 (Wed, 5 Jun 1996 17:07:01 +0800) - Re: Security of PGP if Secret Key Available? - David Rosoff <drosoff@arc.unm.edu>