Yet another pgp question... We don't get any pgp news groups here. Since we need a passphrase to access our secret key, it is reasonable to think that our secring.pgp file is pretty secure, as long as our passphrase is notrivial. What am I missing here? Thanx in advance. +----------------------+----------------------------------------------------+ | J. Michael Diehl ;-) | I thought I was wrong once. But, I was mistaken. | | +----------------------------------------------------+ | mdiehl@triton.unm.edu| "I'm just looking for the opportunity to be | | Thunder@forum | Politically Incorrect! | | (505) 299-2282 | <me> | +----------------------+----------------------------------------------------+
-----BEGIN PGP SIGNED MESSAGE-----
Since we need a passphrase to access our secret key, it is reasonable to think that our secring.pgp file is pretty secure, as long as our passphrase is notrivial. What am I missing here?
The secret key on the secring.pgp is IDEA-encrypted... So, it is only as strong as IDEA, and your passphrase. To break the security, someone needs to be able to: 1) Obtain your secret keyring.. This is either watching it go over the net, reading the file system, borrowing your floppy, or whatever, and 2) Obtain your secret passphrase... Only when both are accomplished can they get to your secret key, although once they have accomplished #1, they can try to break the IDEA algorithm... - -derek PGP 2 key available upon request on the key-server: pgp-public-keys@toxicwaste.mit.edu - -- Derek Atkins, MIT '93, Electrical Engineering and Computer Science Secretary, MIT Student Information Processing Board (SIPB) MIT Media Laboratory, Speech Research Group warlord@MIT.EDU PP-ASEL N1NWH -----BEGIN PGP SIGNATURE----- Version: 2.2 iQBuAgUBK8onIzh0K1zBsGrxAQHn0QLECpGbaKS3PpXdJTE0956AkeaYGuZGATJ3 Jgq7I/cEB5l2e3PPr31xdctywTi/+RBIKOJEVokPO9UMsu5KQvwngHta7NeYF8UB qS3wPDH85ro60H4fFsg/s6E= =4s7l -----END PGP SIGNATURE-----
I've-forgotten-who writes:
Since we need a passphrase to access our secret key, it is reasonable to think that our secring.pgp file is pretty secure, as long as our passphrase is notrivial. What am I missing here?
There are two security items here. The first is that the secret RSA key nott be revealed. The second is that the name attached to that key pair not be revealed. Derek writes:
The secret key on the secring.pgp is IDEA-encrypted... So, it is only as strong as IDEA, and your passphrase.
This protection applies to the first criterion--your secret key is not revealed. No one can steal your key and impersonate you. The second datum, name attached to a key, is protected only by one's sole possession of the secring.pgp file. If you are using a pseudonym, and using an RSA signature to enforce it, and doing thing with this pseudonym that you don't want identified with you, then you'd better make sure that secring.pgp file is not discovered on your machine. The format of the keyring file is such that the name attached to a key is in the clear. This is really a huge hole. Since secret keys are presumed to be in the possession of only those who actually use the keys, possession of a secret key on the secring.pgp is tantamount to proof that you are that pseudonym. In short: everything about a secret key ring should be encrypted. A parallel (not as consequential): everything about a public key ring should be encrypted. Eric
There are two security items here. The first is that the secret RSA key nott be revealed. The second is that the name attached to that key pair not be revealed.
I may be nitpicking here, but I have to argue. Although there is a relationship, security and privacy are not one and the same. You have named a security item, and a privacy item, not two security items. For privacy to exist, security may be necessary, but that doens't make it a security item. For instance, I trust my roommate to respect my privacy. There's no lock on my bedroom door. He knocks before coming in if I'm in there. This is a privacy system based on trust, not on security. I'm not proposing this model for the net, don't worry! (That's Dorothy Denning's job. :-) I'm just pointing out that privacy can exist without security, given appropriate constraints. Similarly, security can exist without privacy: You can clearsign a message w/o encrypting it.
This is really a huge hole. Since secret keys are presumed to be in the possession of only those who actually use the keys, possession of a secret key on the secring.pgp is tantamount to proof that you are that pseudonym.
I believe that the secring.pgp is secure, for most reasonable purposes. (You can debate this, but I'll just keep changing my definition of reasonable on you. So don't bother.) However, it is clearly not private. One could argue that the entire secring.pgp should be encrypted, and I might even agree with you. I'll have to think about it more.
In short: everything about a secret key ring should be encrypted.
A parallel (not as consequential): everything about a public key ring should be encrypted.
The former point is probably true. However, the latter point is ludicrous, IMHO. If it's a public key, why should it be encrypted? The whole purpose of a public key is that it can be widely published. Encrypting it sort of kills the idea. If the name<->key mapping on the public key is protected, it's useless for me to know that key ID B4B951 signed some message. I want to know who that person is, or at least, who they claim to be. You could claim that the keyring identified the people with whom I talk, but that is easily overcome by just keeping a few thousand people on your keyring. Then the signal is buried in the noise. Even if you don't want someone's public key visible on your own keyring, it's still reasonable for their key to be published in some "global" directory, in the clear. Marc
I said:
There are two security items here. The first is that the secret RSA key not be revealed. The second is that the name attached to that key pair not be revealed.
Marc said:
I may be nitpicking here, but I have to argue. Although there is a relationship, security and privacy are not one and the same. You have named a security item, and a privacy item, not two security items.
As long as we're being precise, allow me to restate my claim. If you use a pseudonym with PGP, and you don't want it revealed, and for some reason it is revealed (through some other security breach), then the secret ring has a security failure (lack of encryption) which leads to a breach of privacy. The lack of encryption is a material cause of the privacy compromise. As far as I can tell, I was using security to refer to material causes and Marc was referring to end results.
I believe that the secring.pgp is secure, for most reasonable purposes.
So do I. On an encrypted file system, this is not nearly so large an issue.
A parallel (not as consequential): everything about a public key ring should be encrypted.
A point of clarification for below: that's one's own personal copy of a public key ring.
[... this] point is ludicrous, IMHO. If it's a public key, why should it be encrypted? The whole purpose of a public key is that it can be widely published.
The point of a public key is that someone else can perform an operation that only you can undo (and vice-versa, properly stated). Public keys are for anybody that is not you. This does not mean that everyone will have them, or even that everyone should have them. The social form of fully published keys need not be the norm.
You could claim that the keyring identified the people with whom I talk, but that is easily overcome by just keeping a few thousand people on your keyring.
If this is the only datum available, that would work. When another list is available to intersect your keyring with, the attempted diffusion may fail unexpectedly. Keeping your identities of your correspondents private (through a security mechanism on the keyring) is much the same as using some of the stronger forms of remailers that have been discussed. Eric
participants (4)
-
Derek Atkins -
Eric Hughes -
J. Michael Diehl -
Marc Horowitz