Secret key storage question
Arno Wagner
wagner at tik.ee.ethz.ch
Wed Jun 19 10:16:02 CEST 2002
"Robert J. Hansen" <rjhansen at inav.net> Wrote:
> > I'm trying to figure out a couple of things. For example, if the
> > passphrase is being used to keep the secret keys unreadable, then am I
> > correct in thinking that your passphrase should be the same length as
>
> Hard to say. Maybe, maybe not--depends on your threat model. If your
> threat model covers people who are eavesdropping while your traffic is
> in transit, but considers your home PC to be secure, then you're not
> exposing yourself to any risk by leaving your passphrase as "42" (to
> throw in a random _Hitchhikers_ reference).
>
> If your threat model considers your PC to be a possible target of
> attack, then it behooves you to use a longer passphrase. If your threat
> model says the people attacking you have the resources of a large
> corporation or less, then about a 50-glyph passphrase would be just fine
> (assuming Schneier's 1.3 bits of entropy per English glyph). If your
> threat model is the NSA, then you need to be talking to a professional
> information security consultant--a single software package, such as
> GnuPG, isn't going to cut it for you.
My personal assumption is that as soon as somebody can break
into my computer without me noticing very soon or somebody gets
physical access to my computer, the attacker is in. Doing
keyloggers in hardware or software is not that difficult. Not
araising my suspicion is also possible to do. I would not think
it needs the NSA for that.
Only way around that would be encryption doen on a trusted
token, like a smartcard, which I would immediately miss if
stolen.
Regards,
Arno
More information about the Gnupg-devel
mailing list