[Owasp-leaders] Is it ok to share the PGP Keys and keep the PassPhrase private?
dinis.cruz at owasp.org
Thu Oct 14 05:38:11 EDT 2010
Here is a question to the Crypto experts (which I'm not).
>From a security point of view, is it ok if I publish both Public and Private
PGP Keys but keep the PassPhrase secret?
My assumption is that: *"as long as the PassPhrase is strong enough, it
would be not practical to brute force it (even if the attacker knows the
Private Key)"*. In fact, should the question be: *"How big does the
PassPhrase be in 2010/2011 time frame for it to be secure?"*
To see this in practice check out the latest script/tool that I just added
to the OWASP O2 Platform <http://o2platform.com/wiki/Download> which
dramatically simplifies the process of using PGP (creating keys,
encrypting/decrypting text and encrypting/decrypting files):
- blog post:
- Wiki page
- YouTube Video http://www.youtube.com/watch?v=_Cd8AfZyWMs
As you can see, this O2 tool will really enable this workflow (sending the
both Public and Private Keys to the client in a non-encrypted zip and then
sending the PassPhrase in an offline/out-of-band method), so I'm really
trying to figure out if this is a good idea :)
Finally, for the really hard-core crypto guys, can you take a look at how I
implemented the BouncyCastle Crypto APIs to make sure I did it correctly:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders