<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Lucida Grande";
        panose-1:0 0 0 0 0 0 0 0 0 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.apple-style-span
        {mso-style-name:apple-style-span;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
 /* List Definitions */
 @list l0
        {mso-list-id:281889031;
        mso-list-template-ids:-1029940624;}
@list l0:level1
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Symbol;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>

<div class=WordSection1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If you are married to the scheme of sharing keys but not
necessarily the approach (e.g. PGP), then maybe there is an opportunity for you
to noodle usage of the Identity Based Encryption work out of Stanford (with
patterns from Voltage). The idea is that a key doesn&#8217;t have to be
something based on complex algorithms such as factoring of large prime numbers
but could be something as simple as using an email address.  Google for &#8216;identity
based encryption&#8217; for more information.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";
color:gray'>James McGovern<br>
</span></b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";
color:gray'>Insurance SBU <o:p></o:p></span></p>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";
color:gray'>Virtusa </span></b><b><span style='font-size:10.0pt;font-family:
"Calibri","sans-serif";color:#7F7F7F'>Corporation</span></b><b><span
style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:gray'><o:p></o:p></span></b></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";
color:gray'>100 Northfield Drive, Suite 305 | Windsor, CT | 06095<o:p></o:p></span></p>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";
color:#7F7F7F'>Phone:&nbsp; </span></b><span style='font-size:10.0pt;
font-family:"Calibri","sans-serif";color:gray'>860 688 9900</span><span
style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#7F7F7F'> <b>Ext:&nbsp;
</b></span><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";
color:gray'>1037</span><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";
color:#7F7F7F'> | <b>Facsimile:&nbsp; </b></span><span style='font-size:10.0pt;
font-family:"Calibri","sans-serif";color:gray'>860 688 2890</span><span
style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#7F7F7F'>
&nbsp;</span><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";
color:gray'><o:p></o:p></span></p>

<p class=MsoNormal><a href="http://www.virtusa.com/"><span style='font-size:
10.0pt;font-family:"Calibri","sans-serif";color:#7F7F7F;text-decoration:none'><img
border=0 width=81 height=21 id="Picture_x0020_52"
src="cid:image001.jpg@01CB6BAB.CB8546C0"
alt="cid:image011.jpg@01CB08A4.F95CFA30"></span></a><span style='font-size:
10.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><a
href="http://www.virtusa.com/blog/"><span style='font-size:11.0pt;font-family:
"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0
width=22 height=22 id="Picture_x0020_53"
src="cid:image002.gif@01CB6BAB.CB8546C0"
alt="cid:image012.gif@01CB08A4.F95CFA30"></span></a><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><a
href="https://twitter.com/VirtusaCorp" target="_blank"><span style='text-decoration:
none'><img border=0 width=22 height=22 id="Picture_x0020_54"
src="cid:image003.gif@01CB6BAB.CB8546C0"
alt="cid:image004.gif@01CB08A4.F95CFA30"></span></a><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><a
href="http://www.linkedin.com/companies/virtusa" target="_blank"><span
style='text-decoration:none'><img border=0 width=22 height=22
id="Picture_x0020_55" src="cid:image004.gif@01CB6BAB.CB8546C0"
alt="cid:image005.gif@01CB08A4.F95CFA30"></span></a><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><a
href="http://www.facebook.com/VirtusaCorp" target="_blank"><span
style='text-decoration:none'><img border=0 width=22 height=22
id="Picture_x0020_56" src="cid:image005.gif@01CB6BAB.CB8546C0"
alt="cid:image006.gif@01CB08A4.F95CFA30"></span></a><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>

</div>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
owasp-leaders-bounces@lists.owasp.org
[mailto:owasp-leaders-bounces@lists.owasp.org] <b>On Behalf Of </b>Carlos
Serrão<br>
<b>Sent:</b> Thursday, October 14, 2010 11:35 AM<br>
<b>To:</b> owasp-leaders@lists.owasp.org<br>
<b>Subject:</b> Re: [Owasp-leaders] Is it ok to share the PGP Keys and keep
thePassPhrase private?<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal>Dinis,<o:p></o:p></p>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>I'm not a crypto expert, but on any public-key based crypto
system, the private key is supposed to be always private - even if the private
key is protected by a passphrase.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>It's like using a strong security measure and then use a
weaker one to protect the system. It doesn't make any sense.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>You have clever ways to subvert the passphrase without using
a brute force attack:<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>- dictionary attacks<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>- social engineering<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>- shoulder surfing<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>- others.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>So, in my opinion this is a bad idea.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>Best regards.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<div>

<div>

<p class=MsoNormal>On 2010/10/14, at 10:38, dinis cruz wrote:<o:p></o:p></p>

</div>

<p class=MsoNormal><br>
<br>
<o:p></o:p></p>

<p>Here is a question to the Crypto experts (which I'm not).<o:p></o:p></p>

<p>From a security point of view, is it ok if I publish both Public and Private
PGP Keys but keep the PassPhrase secret?<o:p></o:p></p>

<p>My assumption is that: <b>&quot;as long as the PassPhrase is strong enough,
it would be not practical to brute force it (even if the attacker knows the
Private Key)&quot;</b>. In fact, should the question be: <b>&quot;How big does
the PassPhrase be in 2010/2011 time frame for it to be secure?&quot;</b><o:p></o:p></p>

<p>&nbsp;To see this in practice check out the latest script/tool that I just
added to the <a href="http://o2platform.com/wiki/Download">OWASP O2 Platform</a>
which dramatically simplifies the process of using PGP (creating keys,
encrypting/decrypting text and encrypting/decrypting files):<o:p></o:p></p>

<ul type=disc>
 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo1'>blog post: <a
     href="http://diniscruz.blogspot.com/2010/10/tool-using-openpgp-to-encrypt-or.html"
     target="_blank">http://diniscruz.blogspot.com/2010/10/tool-using-openpgp-to-encrypt-or.html</a>
     <o:p></o:p></li>
 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo1'>Wiki page <a
     href="http://www.o2platform.com/wiki/O2_Script/Tool_-_Using_OpenPgp_to_Encrypt_or_Decrypt.h2"
     target="_blank">http://www.o2platform.com/wiki/O2_Script/Tool_-_Using_OpenPgp_to_Encrypt_or_Decrypt.h2</a>
     <o:p></o:p></li>
 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo1'>YouTube Video <a
     href="http://www.youtube.com/watch?v=_Cd8AfZyWMs" target="_blank">http://www.youtube.com/watch?v=_Cd8AfZyWMs</a>
     <o:p></o:p></li>
</ul>

<p>As you can see, this O2 tool will really enable this workflow (sending the
both Public and Private Keys to the client in a non-encrypted zip and then
sending the PassPhrase in an offline/out-of-band method), so I'm really trying
to figure out if this is a good idea :)<o:p></o:p></p>

<p>Finally, for the really hard-core crypto guys, can you take a look at how I
implemented the BouncyCastle Crypto APIs to make sure I did it correctly: <a
href="http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs">http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs</a><o:p></o:p></p>

<p>Thanks <o:p></o:p></p>

<p>Dinis Cruz<o:p></o:p></p>

<p class=MsoNormal>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
https://lists.owasp.org/mailman/listinfo/owasp-leaders<o:p></o:p></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<p class=MsoNormal><span style='font-size:13.5pt;font-family:"Lucida Grande","serif";
color:black'>--<o:p></o:p></span></p>

</div>

<div>

<p class=MsoNormal><span style='font-size:11.5pt;font-family:"Lucida Grande","serif";
color:black'>Carlos Serrão<o:p></o:p></span></p>

</div>

<div>

<p class=MsoNormal><span class=apple-style-span><span style='font-size:9.0pt;
font-family:"Lucida Grande","serif";color:black'>ISCTE-IUL/ISTA/DCTI
|&nbsp;ADETTI-IUL/NetMuST | PT.OWASP</span></span><span style='font-family:
"Lucida Grande","serif";color:black'><o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

</div>

</body>

</html>

<table><tr><td bgcolor=#ffffff><font color=#000000><pre>Virtusa was recently ranked and featured in 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list, 2009 Deloitte Technology Fast 500 and 2009 Dataquest-IDC Best Employers Survey among others.

---------------------------------------------------------------------------------------------

This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

---------------------------------------------------------------------------------------------</pre></font></td></tr></table>