Re: Security of PGP if Secret Key Available?
On Jun 3, 2:36, "Robert A. Hayden" wrote:
However, I got to wondering about the security of PGP assuming somebody trying to read my PGPed stuff has my 1024-bit secret key. ie, if I have it on my personal computer, and somebody gets my secret key, how much less robust has PGP just become, and what are appropriate and reasonable steps to take to protect this weakness?
If the secret key is available then an attacker knows the length of p & q. Admittedly this will not usually help matters much, but I still feel that the lengths of p and q should be encrypted with the passphrase - perhaps in PGP3.0? (Derek?) Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland <gary@systemics.com> Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06
-----BEGIN PGP SIGNED MESSAGE----- On Wed, 5 Jun 1996, Gary Howland wrote:
On Jun 3, 2:36, "Robert A. Hayden" wrote:
However, I got to wondering about the security of PGP assuming somebody trying to read my PGPed stuff has my 1024-bit secret key. ie, if I have it on my personal computer, and somebody gets my secret key, how much less robust has PGP just become, and what are appropriate and reasonable steps to take to protect this weakness?
If the secret key is available then an attacker knows the length of p & q. Admittedly this will not usually help matters much, but I still feel that the lengths of p and q should be encrypted with the passphrase - perhaps in PGP3.0? (Derek?)
I don't see how knowing the exact lengths of p and q will help matters much. I don't think it will speed up the factoring time, and it won't make brute- forcing the passphrase any easier. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "In Christianity neither morality nor religion come into contact with reality at any point." -- Friedrich Nietzsche -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMbXp97Zc+sv5siulAQFTBAQAjcfF5jh29RhTPokzfHbTEU+5aspywOPZ C3V1Lvucf6rYPH3J8oo8o8qo8iUjWIHR3B6Xh/DllslfDmO+WnOceaz888gErnGz X30prZ3Q6pue0WbrCk5S6++OMXux0+zzEcB5z5jcZb3wNLie8Qr2nnwyvM3ha1Gj bx96KawqVEI= =VSDw -----END PGP SIGNATURE-----
Mark M. wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 5 Jun 1996, Gary Howland wrote:
On Jun 3, 2:36, "Robert A. Hayden" wrote:
However, I got to wondering about the security of PGP assuming somebody trying to read my PGPed stuff has my 1024-bit secret key. ie, if I have it on my personal computer, and somebody gets my secret key, how much less robust has PGP just become, and what are appropriate and reasonable steps to take to protect this weakness?
If the secret key is available then an attacker knows the length of p & q. Admittedly this will not usually help matters much, but I still feel that the lengths of p and q should be encrypted with the passphrase - perhaps in PGP3.0? (Derek?)
I don't see how knowing the exact lengths of p and q will help matters much.
That's what I said. There are however a few cases where it may help. Two that spring to mind are the brute force factoring of the BlackNet key - this may have been faster if half of the potential factors could have been ignored due to wrong key lengths (although I suspect this depends upon the factoring algorithm), and the other is that of identifying low quality keys with a small factor (perhaps generated by low quality software).
I don't think it will speed up the factoring time
Again, I would say this depends upon the factoring algorithm. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland <gary@systemics.com> Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06
If the secret key is available then an attacker knows the length of p & q. Admittedly this will not usually help matters much, but I still feel that the lengths of p and q should be encrypted with the passphrase - perhaps in PGP3.0? (Derek?)
PGPlib has an interface to encrypt the whole keyring, however that probably isn't going to be fully implemented unless time permits. This interface allows you to encrypt the WHOLE keyring in a passphrase, which includes not only the secret components, but the public components as well. However I don't know if I'll have the time to get to it. Enjoy! -derek
Leave it for 3.1. There are worse programs being advanced because people feel we're waiting too long for PGP3. Derek Atkins wrote: | PGPlib has an interface to encrypt the whole keyring, however that | probably isn't going to be fully implemented unless time permits. | This interface allows you to encrypt the WHOLE keyring in a | passphrase, which includes not only the secret components, but the | public components as well. However I don't know if I'll have the time | to get to it. -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (4)
-
Adam Shostack -
Derek Atkins -
Gary Howland -
Mark M.