-----BEGIN PGP SIGNED MESSAGE----- In article <199407020841.AA23083@world.std.com> you write:
Back to a rephrasing of my original question: should programs like PGP super-duper encrypt the private key (and remove those hints poeple have mentioned recently) as a way of slowing down brute-force attacks?
In general, multiple encryption does not signifigantly increase security. Just for starters, we don't know if IDEA is a group.. If it is, you can encrypt all you want and you won't get one extra bit of security. Trying to analyse just *one* cryptosystem or algorithm for security holes and information leaks is hard enough - trying to analyse the interaction between several layers of said algorithm or even between different algorithms seems harder and lacking in promise. Of course you could view this as defence of multiple-encryption: "if there *is* some weird interaction that reveals my key when you xor the secret-key file with any Nick Danger script, no one will ever discover it because it will be too hard" but this strikes me as the security through obscurity myth. You can't get something for nothing. With a 12 bit pass phrase, you have 12 bits of security - I don't see any known way to increase this without increasing the pass phrase length. I haven't looked into this alot, but I wonder how the approach used with many unix passwd utilities would fare? For instance, checking password/phrase crackability if you will - comparing against a dictionary, measuring entropy or just plain not accepting pass phrases shorter than x. Also, many passwd utils will generate "pronouncable" random text. Perhaps with several short words generated thusly would get you the entropy you need. Thoughts? - -- Baba baby mama shaggy papa baba bro baba rock a shaggy baba sister shag saggy hey doc baba baby shaggy hey baba can you dig it baba baba E7 E3 90 7E 16 2E F3 45 * 28 24 2E C6 03 02 37 5C Stuart Smith <stu@nemesis.wimsey.com> -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLhb4kKi5iP4JtEWBAQGjyQP7BIFaiEGEbAs3JFMCL/A/NBn5GIqB1XqK KZwlKHixqDhG3TaqrxTIbe5e6/rKGnYz8ct2ETq3BZMucSuv4nFwizXxlw8Ra9zO IWCbre0j2A/wOEd2mLksov1cnJdwVDYQ2XIyTvV55J2ajIxiu4rIA0ErOIEE2sH0 dn2R9K9A6qU= =tFK0 -----END PGP SIGNATURE-----