what if they have my sec key?

Jean-David Beyer jeandavid8 at verizon.net
Thu May 29 13:10:02 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ramon Loureiro wrote:
> Hi!
> 
> I'm using different PCs at work for sending email (and other things, of
> course...)
> 
Are just the PCs at work shared, or are the secret keys at work shared too?
> 
> Is it possible for these users to hack my secret key?

It depends, partly, on the security features of the OS you are running. Can
the other users see your key ring? If you run Linux or Unix, for example,
and have the permissions of directory containing your key ring set to
drwx------ , and the permissions of your secret key ring set to -rw-------
you should be pretty safe except from the super-user. If you do not trust
the super user, you are in big trouble in any case. It is my understanding
that the security features of at least some versions of Windows are much
less and that anyone can get at those files.

> If they have got it, can they use some kind of brute force system to
> guess my pass phrase?

In theory, yes, especially if it is too simple. If you pick a complicated
one such as NICqW$Yu1Fg.ZSLawenaP5ZCiDy (now that that one has been
displayed on the Internet, it is no longer considered a good one), they are
much less likely to guess it even with a dictionary attack. The main trouble
with a passphrase like that is that it may take a month or so before you can
remember it, and writing it down is not considered a good idea.
> 
> What will be the best option in this scenario?
> Having the secret key on my USB drive?
> ?
> 
That is safe as long as the other users of your machine are not running
programs on it while you are using it.

- --
  .~.  Jean-David Beyer          Registered Linux User 85642.
  /V\  PGP-Key: 9A2FC99A         Registered Machine   241939.
 /( )\ Shrewsbury, New Jersey    http://counter.li.org
 ^^-^^ 06:55:01 up 6 days, 20:52, 4 users, load average: 4.64, 4.25, 4.11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFIPo8JPtu2XpovyZoRAg89AJ9Xy5Y9slk2Ibtb7Wmn4cYNg9aygwCcCTas
mlgjikdq8E3sCSh3sC+CQHg=
=GXaJ
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list