[Owasp-leaders] Is it ok to share the PGP Keys and keep the PassPhrase private?

Rory McCune rorym at nmrconsult.net
Thu Oct 14 06:09:59 EDT 2010


On Thu, Oct 14, 2010 at 10:38 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Here is a question to the Crypto experts (which I'm not).
>
> From a security point of view, is it ok if I publish both Public and Private
> PGP Keys but keep the PassPhrase secret?
>
> My assumption is that: "as long as the PassPhrase is strong enough, it would
> be not practical to brute force it (even if the attacker knows the Private
> Key)". In fact, should the question be: "How big does the PassPhrase be in
> 2010/2011 time frame for it to be secure?"
>

If you're essentially relying on the security of the passphrase to
provide the confidentiality check, wouldn't it just be easiest to use
a symmetric crypto algorithm (eg, AES)?.  IIRC from Prof Pipers talk
in Dublin the problem that public/private key crypto was designed to
solve was the secure distribution of the keys, so as you're not using
that side of things (by relying on out of band passphrase ), there's
no real need to use PGP :)

Also thinking about it the PGP solution could be somewhat less
flexible than the symmetric crypto solution.  If you want to change
the encryption key with PGP you're going to need to redistribute new
keys and presumably change/distribute the passphrase in use, whereas
with a symmetric solution, you just change the passphrase in use and
distribute it.


Cheers

Rory


More information about the OWASP-Leaders mailing list