[Owasp-leaders] Is it ok to share the PGP Keys and keep the PassPhrase private?

dinis cruz dinis.cruz at owasp.org
Thu Oct 14 05:38:11 EDT 2010


Here is a question to the Crypto experts (which I'm not).

>From a security point of view, is it ok if I publish both Public and Private
PGP Keys but keep the PassPhrase secret?

My assumption is that: *"as long as the PassPhrase is strong enough, it
would be not practical to brute force it (even if the attacker knows the
Private Key)"*. In fact, should the question be: *"How big does the
PassPhrase be in 2010/2011 time frame for it to be secure?"*

 To see this in practice check out the latest script/tool that I just added
to the OWASP O2 Platform <http://o2platform.com/wiki/Download> which
dramatically simplifies the process of using PGP (creating keys,
encrypting/decrypting text and encrypting/decrypting files):

   - blog post:
   http://diniscruz.blogspot.com/2010/10/tool-using-openpgp-to-encrypt-or.html
   - Wiki page
   http://www.o2platform.com/wiki/O2_Script/Tool_-_Using_OpenPgp_to_Encrypt_or_Decrypt.h2
   - YouTube Video http://www.youtube.com/watch?v=_Cd8AfZyWMs

As you can see, this O2 tool will really enable this workflow (sending the
both Public and Private Keys to the client in a non-encrypted zip and then
sending the PassPhrase in an offline/out-of-band method), so I'm really
trying to figure out if this is a good idea :)

Finally, for the really hard-core crypto guys, can you take a look at how I
implemented the BouncyCastle Crypto APIs to make sure I did it correctly:
http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs

Thanks

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101014/f99df043/attachment.html 


More information about the OWASP-Leaders mailing list