[Owasp-leaders] Is it ok to share the PGP Keys and keep thePassPhrase private?

dinis cruz dinis.cruz at owasp.org
Fri Oct 15 04:40:00 EDT 2010


James, that sounds good, but can I just reuse the existing PGP technology to
achive the same goals?

Like I mentioned on my previous response, I'm starting to really like the
concept of having an Encryption and an Decryption key, and if we are able to
use PKI has a base for such Identity Based Encryption, then that would give
us the option to easily 'upgrade' the user to proper PKI (by doing proper
Key Exchange)

Dinis Cruz


On 14 October 2010 19:26, James McGovern <JMcGovern at virtusa.com> wrote:

>  If you are married to the scheme of sharing keys but not necessarily the
> approach (e.g. PGP), then maybe there is an opportunity for you to noodle
> usage of the Identity Based Encryption work out of Stanford (with patterns
> from Voltage). The idea is that a key doesn’t have to be something based on
> complex algorithms such as factoring of large prime numbers but could be
> something as simple as using an email address.  Google for ‘identity based
> encryption’ for more information.
>
>
>
> *James McGovern
> *Insurance SBU
>
> *Virtusa **Corporation***
>
> 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
>
> *Phone:  *860 688 9900 *Ext:  *1037 | *Facsimile:  *860 688 2890
>
> [image: cid:image011.jpg at 01CB08A4.F95CFA30] <http://www.virtusa.com/> [image:
> cid:image012.gif at 01CB08A4.F95CFA30] <http://www.virtusa.com/blog/> [image:
> cid:image004.gif at 01CB08A4.F95CFA30] <https://twitter.com/VirtusaCorp> [image:
> cid:image005.gif at 01CB08A4.F95CFA30]<http://www.linkedin.com/companies/virtusa>
>  [image: cid:image006.gif at 01CB08A4.F95CFA30]<http://www.facebook.com/VirtusaCorp>
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Carlos Serrão
> *Sent:* Thursday, October 14, 2010 11:35 AM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Is it ok to share the PGP Keys and keep
> thePassPhrase private?
>
>
>
> Dinis,
>
>
>
> I'm not a crypto expert, but on any public-key based crypto system, the
> private key is supposed to be always private - even if the private key is
> protected by a passphrase.
>
>
>
> It's like using a strong security measure and then use a weaker one to
> protect the system. It doesn't make any sense.
>
>
>
> You have clever ways to subvert the passphrase without using a brute force
> attack:
>
> - dictionary attacks
>
> - social engineering
>
> - shoulder surfing
>
> - others.
>
>
>
> So, in my opinion this is a bad idea.
>
>
>
> Best regards.
>
>
>
> On 2010/10/14, at 10:38, dinis cruz wrote:
>
>
>
>  Here is a question to the Crypto experts (which I'm not).
>
> From a security point of view, is it ok if I publish both Public and
> Private PGP Keys but keep the PassPhrase secret?
>
> My assumption is that: *"as long as the PassPhrase is strong enough, it
> would be not practical to brute force it (even if the attacker knows the
> Private Key)"*. In fact, should the question be: *"How big does the
> PassPhrase be in 2010/2011 time frame for it to be secure?"*
>
>  To see this in practice check out the latest script/tool that I just added
> to the OWASP O2 Platform <http://o2platform.com/wiki/Download> which
> dramatically simplifies the process of using PGP (creating keys,
> encrypting/decrypting text and encrypting/decrypting files):
>
>    - blog post:
>    http://diniscruz.blogspot.com/2010/10/tool-using-openpgp-to-encrypt-or.html
>    - Wiki page
>    http://www.o2platform.com/wiki/O2_Script/Tool_-_Using_OpenPgp_to_Encrypt_or_Decrypt.h2
>    - YouTube Video http://www.youtube.com/watch?v=_Cd8AfZyWMs
>
> As you can see, this O2 tool will really enable this workflow (sending the
> both Public and Private Keys to the client in a non-encrypted zip and then
> sending the PassPhrase in an offline/out-of-band method), so I'm really
> trying to figure out if this is a good idea :)
>
> Finally, for the really hard-core crypto guys, can you take a look at how I
> implemented the BouncyCastle Crypto APIs to make sure I did it correctly:
> http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs
>
> Thanks
>
> Dinis Cruz
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> --
>
> Carlos Serrão
>
> ISCTE-IUL/ISTA/DCTI | ADETTI-IUL/NetMuST | PT.OWASP
>
>
>
> Virtusa was recently ranked and featured in 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list, 2009 Deloitte Technology Fast 500 and 2009 Dataquest-IDC Best Employers Survey among others.
>
> ---------------------------------------------------------------------------------------------
>
> This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
>
> ---------------------------------------------------------------------------------------------
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101015/93f49094/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1397 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101015/93f49094/attachment-0001.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 789 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101015/93f49094/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1211 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101015/93f49094/attachment-0005.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 763 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101015/93f49094/attachment-0006.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 744 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101015/93f49094/attachment-0007.gif 


More information about the OWASP-Leaders mailing list