[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gpg: "Warning: using shared memory" - SUID?



on Thu, Nov 30, 2000 at 10:57:53PM -0500, Harry Henry Gebel (hgebel@magpage.com) wrote:
> On Thu, Nov 30, 2000 at 10:09:26PM -0500, Chris Gray wrote:
> > >>>>> "kmself" == kmself  <kmself@ix.netcom.com> writes:
> >     >>  You're probably right about this (IANA security expert), but
> >     >> these should only be readable by root.  Also, if you have a
> >     >> malicious root, your private key isn't going to be all that
> >     >> safe anyway.
> >     kmself> Well, on disk, your private key is secured by your
> >     kmself> passphrase (right?).  
> > I just did a 'less' on my secring.gpg, so...  (remember the thread on
> > the difficulty of password protecting a directory recently) 
> > I don't think that the private key is encrypted in any way.  The fact
> > that it has mode 0600 is seen as security enough.
> 
> The mode is NOT seen as security enough. The private key is encrypted using
> a symmetrical cipher whose key is derived from a hash of the
> passphrase. (the exact cipher and hash can be specified in an S2K block in
> the secret keyring) In other words, if you selected a very good passphrase
> (this is a BIG if for most people) if is just as well encrypted as any gpg
> encrypted message message. The reason people must not be allowed to read it
> is that it gives attackers a single key to discover that can then be used
> to recover ALL of the (symmetrical) keys used to encrypt messages with that
> key, (and because most people choose poor passwords discovering that one
> key would not be hard for most people's keyrings. I am not sure what doing
> 'less' on the keyring is supposed to indicate?

Thanks, Harry.

Ok, understanding that, why was I able to export my secret key without
being prompted for a passphrase, or are the passphrase and key managed
independently -- I can export the key but it's still no good without the
passphrase?

-- 
Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.                      http://www.zelerate.org
  What part of "Gestalt" don't you understand?      There is no K5 cabal
   http://gestalt-system.sourceforge.net/        http://www.kuro5hin.org

Attachment: pgp7pOZnOd7xu.pgp
Description: PGP signature


Reply to: