[Owasp-leaders] Is it ok to share the PGP Keys and keep the PassPhrase private?

Jim Manico jim.manico at owasp.org
Thu Oct 14 06:27:30 EDT 2010


This is not acceptable since you will not be able to do full password lifecycle management such as password revocation and password reset easily, something you can do at the key level.

Even worse, the ability to brute force on a local resource must take hardware brute forcing methods (such as using advanced video cards to aid in brute forcing) into consideration. The bad guys have large botnets which they can also use to accelerate brute forcing. Governments have brute forcing capacity measured in physical acres of computing resources (so it does indeed who your threat agents are).

I'm not an advanced applied cryptographer by any means, this is just my subjective take on this topic. It seems like a very bad idea.

-Jim Manico
http://manico.net

On Oct 14, 2010, at 3:08 PM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Here is a question to the Crypto experts (which I'm not).
> 
> From a security point of view, is it ok if I publish both Public and Private PGP Keys but keep the PassPhrase secret?
> 
> My assumption is that: "as long as the PassPhrase is strong enough, it would be not practical to brute force it (even if the attacker knows the Private Key)". In fact, should the question be: "How big does the PassPhrase be in 2010/2011 time frame for it to be secure?"
> 
>  To see this in practice check out the latest script/tool that I just added to the OWASP O2 Platform which dramatically simplifies the process of using PGP (creating keys, encrypting/decrypting text and encrypting/decrypting files):
> 
> blog post: http://diniscruz.blogspot.com/2010/10/tool-using-openpgp-to-encrypt-or.html
> Wiki page http://www.o2platform.com/wiki/O2_Script/Tool_-_Using_OpenPgp_to_Encrypt_or_Decrypt.h2
> YouTube Video http://www.youtube.com/watch?v=_Cd8AfZyWMs 
> As you can see, this O2 tool will really enable this workflow (sending the both Public and Private Keys to the client in a non-encrypted zip and then sending the PassPhrase in an offline/out-of-band method), so I'm really trying to figure out if this is a good idea :)
> Finally, for the really hard-core crypto guys, can you take a look at how I implemented the BouncyCastle Crypto APIs to make sure I did it correctly: http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs
> 
> Thanks 
> Dinis Cruz
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101014/1bd92c3d/attachment.html 


More information about the OWASP-Leaders mailing list