[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh /gnupg passwords storage



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 14 Aug 2002 9:27 am, Adrian 'Dagurashibanipal' von Bidder wrote:
> On Tue, 2002-08-06 at 21:25, James D Strandboge wrote:
> > gpg private
> > keys really shouldn't be on your hard disk, since decrypting an
> > encrypted file is possible if you have the private key (ie without the
> > password) AFAIK.
>
> This is completely untrue.
>
> It is, however, possible to attack the passphrase on the secret key, as
> this is the weakest part of the crypto system in most cases (users
> usually chose passphrases that are quite simple).

Correct, if you have the private key and no password you can do anything with 
it (you cant even sign messages - pretending to be the key bearer), however 
it is _much_ easier to decrypt a message with the private key and no password 
than if you didnt have the private key. This is one of the reasons why you 
should rigorously check the permissions of your .gnupg/ .ssh/ directories and 
files etc. You also shouldnt store them on a machine where some one else 
(think systems admin) has root access, unless you absolutely trust them (be 
very careful, trusting also means that you trust them to keep the system 
secure from others), especially as it is trivial to use a keylogger to 
capture your password if they have root. This is a very serious example of 
people generally being the weakest link in the chain, bad key management is 
more likely than anything else going to cost you your security.

Tom
 
- -- 
Email: tb100@doc.ic.ac.uk || Jabber: tombadran@jabber.com
Homepage:   http://www.doc.ic.ac.uk/~tb100
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9WhyeXCpWOla2mCcRAqOHAKDTwEO69CFDsrT7XTOGcONB/wzlxQCeOYEf
CKFdU6/vHcq9xCy53r6hGoM=
=A4+a
-----END PGP SIGNATURE-----



Reply to: