From: Eric Murray <ericm@lne.com>
Date: Sat, 1 Feb 1997 12:49:54 -0800 (PST)
To: alan@ctrl-alt-del.com (Alan Olsen)
Subject: Re: Key Security Question
In-Reply-To: <199702011955.LAA24678@toad.com>
Message-ID: <199702012048.MAA27571@slack.lne.com>
MIME-Version: 1.0
Content-Type: text/plain


Alan Olsen writes:
> At 10:41 AM 1/31/97 -0800, Z.B. wrote:
> >My computer went into the shop a few days ago, and I was unable to take
> >my PGP keys off it before it went in.  What are the security risks here?
> >If the repairman chooses to snoop through the files, what would he be
> >able to do with my key pair?  Will I need to revoke the key and make a
> >new one, or will I be relatively safe since he doesn't have my
> >passphrase?
> 
> Depends on how guessable your passphrase is.  If you use something that would
> fall to a dictionary attack, then you are vulnerable.  (Providing that they
> actually looked for your keyring and made a copy.)
> 
> If you had nyms on your keyring, then those nyms can be associated with your
> "true name" with no passphrase required.  (Unless you keep your keyring
> encrypted. Private Idaho supports encrypted keyrings, but little else does.)

Other attacks would be installing a keyboard sniffer, replacing your
PGP binary with a trojan that records your passphrase, etc.
This sort of stuff is quite possible but not likely.  Yet.
 
> If you are really concerned about it, you could learn to do your own computer
> repairs.

Or put your PGP keys on removeable media.

-- 
Eric Murray  ericm@lne.com  ericm@motorcycle.com  http://www.lne.com/ericm
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF