Security Implications

Ingo Klöcker
Sat Dec 15 17:01:01 2001

Hash: SHA1

On Friday 14 December 2001 16:33, Steve Butler wrote:
> Originally I was concerned that if someone intercepted all the files
> it might make my secret key easier to crack.  But after thinking
> through the process I realized that my secret/public key isn't
> exposed at all unless I sign the data.

Only people who can encrypt the message can get your signature because 
messages which are signed and encrypted are first signed and then the 
signed message is encrypted together with the signature.

> However, I am concerned that having the same file encrypted by
> multiple session keys might make it slightly more likely for someone,
> who managed to intercept all the files, to recover the original text.
>  Having it encrypted with a single session key would reduce that
> possibility. But I'm not sure that the difference in exposure is all
> that great.

It's not that great. It would reduce the average time needed to crack 
the session key approximately by the amount of recipients (if for each 
recipient another computer is used). But it really doesn't matter if it 
takes someone 1 billion years or 100 million years in average to crack 
the session key.

> If it is, then I may have to rethink my approach to sending the same
> data files to multiple recipients.  Right now it is easier to take
> approach #1 which has the advantage that nobody knows who the other
> recipients are.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see