[Owasp-leaders] Is it ok to share the PGP Keys and keep the PassPhrase private?

Marcin Wielgoszewski marcin at owasp.org
Thu Oct 14 09:50:43 EDT 2010


I'm going to say it's NOT okay to share private keys.  This whole idea is
just a recipe for disaster, no matter how much insightful "guidance" is
published.  If you need a secret key, look to symmetric encryption.

Regards,
-Marcin

On Thu, Oct 14, 2010 at 5:38 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Here is a question to the Crypto experts (which I'm not).
>
> From a security point of view, is it ok if I publish both Public and
> Private PGP Keys but keep the PassPhrase secret?
>
> My assumption is that: *"as long as the PassPhrase is strong enough, it
> would be not practical to brute force it (even if the attacker knows the
> Private Key)"*. In fact, should the question be: *"How big does the
> PassPhrase be in 2010/2011 time frame for it to be secure?"*
>
>  To see this in practice check out the latest script/tool that I just added
> to the OWASP O2 Platform <http://o2platform.com/wiki/Download> which
> dramatically simplifies the process of using PGP (creating keys,
> encrypting/decrypting text and encrypting/decrypting files):
>
>    - blog post:
>    http://diniscruz.blogspot.com/2010/10/tool-using-openpgp-to-encrypt-or.html
>    - Wiki page
>    http://www.o2platform.com/wiki/O2_Script/Tool_-_Using_OpenPgp_to_Encrypt_or_Decrypt.h2
>    - YouTube Video http://www.youtube.com/watch?v=_Cd8AfZyWMs
>
> As you can see, this O2 tool will really enable this workflow (sending the
> both Public and Private Keys to the client in a non-encrypted zip and then
> sending the PassPhrase in an offline/out-of-band method), so I'm really
> trying to figure out if this is a good idea :)
>
> Finally, for the really hard-core crypto guys, can you take a look at how I
> implemented the BouncyCastle Crypto APIs to make sure I did it correctly:
> http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs
>
> Thanks
>
> Dinis Cruz
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101014/e918ea15/attachment.html 


More information about the OWASP-Leaders mailing list