key security

Trevor Smith Trevor Smith" <
Wed Apr 10 02:25:01 2002

On Tue, 9 Apr 2002 17:00:08 -0700, Leigh S. Jones wrote:

>There's no sense in attempting password security that
>exceeds the basic security of the underlying encryption
>system.  For the most secure applications it should take
>an attacker just a little bit less effort to break GPG's
>underlying symmetric-key cryptography than to break your
>own password by guessing. 

This is contrary to what I believed. It was my understanding that
breaking symmetric-key crypto systems like the one in OpenPGP
implementations was monumentally difficult (i.e. requiring hundreds
of millions of dollars or more of computer hardware). It was also my
understanding that the weakest link in the system was the passphrase
protecting the encrypted private key. I believed that using brute
force one could break a passphrase relatively easily (i.e. much less
than hundreds of millions of dollars of equipment would be needed).

Which is correct? Is any passphrase, even one 100 - 200 characters
long consisting of completely random characters, even as remotely
difficult to break as it is to break a GPG coded message?

 Trevor Smith    |