[Owasp-leaders] Is it ok to share the PGP Keys and keep the PassPhrase private?

dinis cruz dinis.cruz at owasp.org
Fri Oct 15 04:20:19 EDT 2010

Comments inline (not picking on you Jim, but your comments where quite
typical of how the 'security world' tends to respond to Crypto questions by
devs who are trying to figure out how do it )

On 14 October 2010 11:31, Jim Manico <jim.manico at owasp.org> wrote:

> > PGP (creating keys, encrypting/decrypting text and encrypting/decrypting
> files)
That's the easy stuff, it's no big deal.

But if it is easy (if one uses an API that does it), why doesn't all tools
support it?

Yes, it might be easy to technically encrypt and decrypt the data, but we
still have in 2010, enormous usability issues (hence it weak penetration).

Every time I had to use PKI (or any type of encryption) it has been a pain,
and I really think we need to figure out better usability ways to allow
users to easily 'do' encryption.

I know that from a purist point of view what I'm doing sounds very wrong,
BUT, at least with it, I immediately create a workflow with the client which
involves the easy use of PGP technology (which is then only a small hop away
from proper PKI (i.e. just get the user to send me his Public key :)  (I'll
add that button to the next version of the O2 Script :) ))

> You are missing the real challenge of applied cryptography, key management.
> Also, if you are still thinking about "master keys" or "storing keys using
> OS controls" your defensive theory is off by over a decade or more.

I think you are being a bit to radiacal in your view. YES, what I'm
proposing is not PKI and yes once you share the Private KEY the model
changes. BUT to say that it 'not acceptable' (your previous email) and
should not be used at all, is a bit to extreme.

It's funny how cryptography always triggers very emotional and 'strong'
negative opinons (see for example the comments in this thread I also started
at the SecuriTeam blog http://blogs.securiteam.com/index.php/archives/1451).
Shouldn't we be encouraging the use of Cryptography and not bash it?

Surely, the bottom line that *it depends on the use cases*, and it surely
must be better than not doing any encryption at all!

Also we have to be realistic on the attack vectors (since the really good
malicious attackers have better ways to get the data than to use
supercomputers to crack the PassPhrase. Just like
http://xkcd.com/538/captures perfectly :) )

> See:
> http://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Ensure_that_any_secret_key_is_protected_from_unauthorized_access

Yes, and in my case the secret key is the PassPhrase and not the Private Key

Humm, maybe the right way to do it is instead of calling it Public and
Private key we should call it Encryption and Decryption Keys:

Public Key = Encryption Key
Private Key = Decryption Key


Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101015/e0bde369/attachment-0001.html 

More information about the OWASP-Leaders mailing list