Problems with private keyring?

[Nils Ellmenreich]

>>>"pb" == p brodacki <Pawe> writes:

 pb> what I've found here: http://www.i.cz/en/onas/tisk4.html. Two Czechs
 pb> claim they can extract private keys from GPG (and PGP) rings.       

Quick reaction after reading this: they claim that they can extract the
private key from your private key ring although it's password
protected. Well, this password protection was never meant to be a major
security barrier - it is the general view that if the attacker gets
access to the private ring, then you've lost. The attacker can always do
a brute force or dictionary attack against your password which will be
by magnitudes easier than breaking your public key. Even if they found a
bug in OpenPGP that makes it even easier to bypass the password
protection (they seem to claim this) - so what? It would downgrade the
tiny protection against the unexperienced attacker.

>From the few information provided, I fail to see the "serious security
vulnerability of an international magnitude".

They also state that your private key is in danger on a multi-user
system. That's obvious and well known. If you want to depend on your
signature, you must protect your private key which is not possible on a
multi-user system.

Another observation: it appears that they didn't contact neither NAI nor
the GnuPG developers although they think that both software packages
have a major security problem. Instead, they issue a press release with
strong words, pointing to a report that will be published in the
future. That's bad style, to say the least. You may note that the
contact person at the bottom is the marketing director ...

Calm down. ;-)

Nils
-- 
Nils Ellmenreich, Lst. f. Programmierung, Universitaet Passau, Germany