KeePass or any other password wallet to store and transport keys

Faramir faramir.cl at gmail.com
Thu Jul 26 03:30:42 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 25-07-2012 8:29, antispam06 at sent.at escribió:
> 
> On Wed, Jul 25, 2012, at 03:23, Faramir wrote:
...
>>> Yes, security through obscurity. A possible attacker won't know
>>> for
...
>> I don't know why do you say security through obscurity. Private
>> keys can be stored encrypted, so even if somebody steal them, the
>> thieve
...
> I keep the key on the same phisical drive as the encrypted
> document. That's security through obscurity assuming the other one
> won't know where to search for the key, which is not stored with
> the right extension or in the most common place.

  Not right, if your secret key is protected by a passphrase (or
strong password), it doesn't matter if the attacker know where to find
it. Actually, the attacked is very likely to know where it is, since
probably it will be at the default folder. But finding it doesn't mean
he can USE it, without the passphrase, it is just a "soup of bits".

>> A hacker will know what key he needs to open a file, because the 
>> encrypted file say it, unless the sender selects hide recipient's
>> key
...

> So he or she will have to locate the right key. Reasonable would be
> to keep the key away, at least on some removable media.

  Most of us want to keep our keys away from other people, and also
keep them protected by a passphrase, in case the key falls in the
wrong hands. The attacker needs 2 things: the key and the passphrase.
It is a matter of making things harder for the attacker.


>>> It employs far less characters. Yet it can be looong. How
>>> about that? Is that any better? 45 ASCII lowercase with a
>>> uppercase ASCII and a couple of signs is better than 16 random
>>> alphanumerics and signs?
>> 
>> I bet it is, as long as that 45 characters passphrase is not 
>> something that could be found on dictionaries, or combining
>> dictionary words. But probably it is an overkill. Anyway, Keepass
>> has a built in
...
> If only dictionary attacks would be the the problem than any
> longish verse from a popular band could do it. Just add a comma in
> some weird place and you have broken even the lyrics hacker.

  Don't forget there can be attacks with dictionary and mutators. Of
course, you can increase mutators until the attack becomes infeasible
too (what is the point when a dictionary attack with mutators become a
bruteforce attack?).
  Anyway, a good password should include uppercase and lowercase,
numbers and special characters. One of each of these forces the
attacker to increase the key space (even 1 special character forces
the attacker to include them in the attack). Of course, there may be a
sub-set of special characters known as "most used special characters".
And of course, make it long enough a bruteforce attack is infeasible
for your adversary. And what is infeasible for your adversary? Depends
on your threat model.

   Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJQEJ3CAAoJEMV4f6PvczxAOLsH/24OaRbK88Z9GHtrFRItn/4F
oRvZrmc7ldffOPjuduUdpuOY6QhYzfPew1c0o3+OsW5HlxkRtk9LdihcDLGRnUd7
bA5/VFy6fTxKxnW22GYwy2Ht2NNO+s/KVe9ZRK/LMCWHhvTAT/z1DVvu3i3sQadL
DMMqOKdlouuuyKk0C8MCJX6siVx5HBCn/c8Eu/a+gWZSayQBIjnlJamD7fjhAuzh
ze5VytLaNLrf2FXO9oJZ/1WPCSa2ICaTPqbtsli+Z4Q1UifwjqYYlY0+7h+T6LBa
CAFtPh+kNsa0lqefusR/n9ytWeU3k7LiTCJnGGHqk3VykdyNkD1+eS8PWi6uG/k=
=vAef
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list