Carlo Luciano Bianco clbianco at tiscalinet.it
Wed Sep 27 01:28:56 CEST 2006

Il /26 set 2006/, *David Shaw* ha scritto:

> On Tue, Sep 26, 2006 at 12:23:41PM +0200, Werner Koch wrote:
>> One should always ask the question: How would I attack a system? 
>> Then it will soon be clear that breaking RSA or finding a second
>> pre-image for SHA-1 is not the way any sane attacker would go.
> Yes.  Most discussion of algorithms and key sizes and hashes these
> days are not particularly meaningful in the real world.  There is
> an odd assumption that the other factors in the system are
> axiomatically secure.

Needless to say, I completely agree with both you and Werner on this.
This discussion about "balancing" security is very interesting [at
least for me... ;-)] from a theoretical point of view. I know very
well that using this extra-large keys does not add any security in
real life. 

An attacker who is really motivated in reading someone's e-mails and
has enough money/time/resources, would never be so stupid to loose
his/her time trying to "force" even a 1024-bit RSA key! It would be
much more simple to install a keylogger and/or a backdoor on the
victim's machine, for example. 

Before having a real security enhancement from an extra-large key,
one must use a machine with only fully trusted and verified
softwares and operating system [having inspected the source codes by
himself - and I am writing this on my WinXP laptop... ;-)], he must
not insert passphrases near windows [I mean *real* ones, made by
glasses... ;-)], and he must take an incredible amount of other

> It's the castle that has a million-mile-high wall with spikes...
> and a cardboard door.

We had a very long thread about OpenPGP security at the end of the
last year on Italian usenet group it.comp.sicurezza.crittografia,
where we made a small list of "possible ways to crack OpenPGP
without even knowing what it is" (more or less). Just to quote one
of them, did you ever check that there is not a hidden camera in the
lamp on your desk? ;-)

                      |  ICQ UIN: 109517158
 Carlo Luciano Bianco |  Home page: <http://clbianco.altervista.org/>
GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743

More information about the Gnupg-devel mailing list