From: Adam Back <aba@dcs.ex.ac.uk>
Date: Wed, 4 Nov 1998 07:24:32 +0800
To: petro@playboy.com
Subject: Re: don't use passwords as private keys (was Re: Using a passwordas a private key.)
In-Reply-To: <v0401170eb2650185288c@[206.189.103.230]>
Message-ID: <199811032218.WAA22735@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain




Petro <petro@playboy.com> writes:
> >You can't forget passphrases.  You can destroy private key files.
> 
> 	Yes, you can. I had an art director forget his 4 days running,
> AFTER LUNCH. He remembered it in the morning, but after lunch he couldn't.

With the kind of "memory aid" we were talking about here (legal
threat, 1 years imprisonment for contempt to aid memory, perhaps
torture) he might just have remembered it.  If he didn't he'd likely
get a year or so to try remember it in prison on contempt charges for
not handing it over.

Deleting keys on the other hand, contempt would be a waste of time,
you're never going to remember what you don't know, and they ought to
convincable of this if you can show the software documentation
describing forward secret key material deletion.

> 	It wasn't a "passphrase" either, it was a _very_ weak password.

Also note that it is not necessary to remember the password precisely,
just narrow the search space down to provide a viable dictionary
attack of 56 bits or whatever.

The art directors password sounds like it was already below that.

Adam
-- 
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`