Re: ssh /gnupg passwords storage
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 14 Aug 2002 9:27 am, Adrian 'Dagurashibanipal' von Bidder wrote:
> On Tue, 2002-08-06 at 21:25, James D Strandboge wrote:
> > gpg private
> > keys really shouldn't be on your hard disk, since decrypting an
> > encrypted file is possible if you have the private key (ie without the
> > password) AFAIK.
>
> This is completely untrue.
>
> It is, however, possible to attack the passphrase on the secret key, as
> this is the weakest part of the crypto system in most cases (users
> usually chose passphrases that are quite simple).
Correct, if you have the private key and no password you can do anything with
it (you cant even sign messages - pretending to be the key bearer), however
it is _much_ easier to decrypt a message with the private key and no password
than if you didnt have the private key. This is one of the reasons why you
should rigorously check the permissions of your .gnupg/ .ssh/ directories and
files etc. You also shouldnt store them on a machine where some one else
(think systems admin) has root access, unless you absolutely trust them (be
very careful, trusting also means that you trust them to keep the system
secure from others), especially as it is trivial to use a keylogger to
capture your password if they have root. This is a very serious example of
people generally being the weakest link in the chain, bad key management is
more likely than anything else going to cost you your security.
Tom
- --
Email: tb100@doc.ic.ac.uk || Jabber: tombadran@jabber.com
Homepage: http://www.doc.ic.ac.uk/~tb100
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9WhyeXCpWOla2mCcRAqOHAKDTwEO69CFDsrT7XTOGcONB/wzlxQCeOYEf
CKFdU6/vHcq9xCy53r6hGoM=
=A4+a
-----END PGP SIGNATURE-----
Reply to: