[Owasp-leaders] Is it ok to share the PGP Keys and keep the PassPhrase private?

Carlos Serrão carlos.serrao at iscte.pt
Thu Oct 14 11:35:03 EDT 2010


Dinis,

I'm not a crypto expert, but on any public-key based crypto system, the private key is supposed to be always private - even if the private key is protected by a passphrase.

It's like using a strong security measure and then use a weaker one to protect the system. It doesn't make any sense.

You have clever ways to subvert the passphrase without using a brute force attack:
- dictionary attacks
- social engineering
- shoulder surfing
- others.

So, in my opinion this is a bad idea.

Best regards.

On 2010/10/14, at 10:38, dinis cruz wrote:

> Here is a question to the Crypto experts (which I'm not).
> 
> From a security point of view, is it ok if I publish both Public and Private PGP Keys but keep the PassPhrase secret?
> 
> My assumption is that: "as long as the PassPhrase is strong enough, it would be not practical to brute force it (even if the attacker knows the Private Key)". In fact, should the question be: "How big does the PassPhrase be in 2010/2011 time frame for it to be secure?"
> 
>  To see this in practice check out the latest script/tool that I just added to the OWASP O2 Platform which dramatically simplifies the process of using PGP (creating keys, encrypting/decrypting text and encrypting/decrypting files):
> 
> blog post: http://diniscruz.blogspot.com/2010/10/tool-using-openpgp-to-encrypt-or.html
> Wiki page http://www.o2platform.com/wiki/O2_Script/Tool_-_Using_OpenPgp_to_Encrypt_or_Decrypt.h2
> YouTube Video http://www.youtube.com/watch?v=_Cd8AfZyWMs 
> As you can see, this O2 tool will really enable this workflow (sending the both Public and Private Keys to the client in a non-encrypted zip and then sending the PassPhrase in an offline/out-of-band method), so I'm really trying to figure out if this is a good idea :)
> Finally, for the really hard-core crypto guys, can you take a look at how I implemented the BouncyCastle Crypto APIs to make sure I did it correctly: http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs
> 
> Thanks 
> Dinis Cruz
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

--
Carlos Serrão
ISCTE-IUL/ISTA/DCTI | ADETTI-IUL/NetMuST | PT.OWASP

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101014/d5fcdf19/attachment.html 


More information about the OWASP-Leaders mailing list