private key protect cipher
David Shaw
dshaw@jabberwocky.com
Thu Mar 27 20:18:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, Mar 27, 2003 at 08:05:32AM -1000, Maxine Brandt wrote:
> Thanks David. Taking it a step further, is the strength of the session key
> directly related to password strength? I'm thinking: OK I have a 128-bit
> random-character password to open my private key, but does this give
> me 256-bit security when I use Twofish or AES256 for messaging?
Not exactly. The session key is (assuming you have a decent random
number generator) full strength for whatever cipher you are using, so
if you are using TWOFISH or AES256 then you do get the whole 256 bits.
That session key is encrypted with the public key of your recipient.
Your recipient decrypts their private key, and uses it to decrypt the
session key, and uses that to decrypt the message.
If you look at this end to end, then the weakest spot is still the
passphrase, but unless the attacker can get to your local system and
steal your private key, there is no way take advantage of this.
Without getting ahold of the private key, the weak point is either the
public key encryption or the (256-bit) symmetric encryption.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc
iD8DBQE+g06E4mZch0nhy8kRAi/bAJ9KYRoKEZDdJ/x9H87PXYm1u261+QCgnszV
Pk5cdJ0CAxbhtP4YSoaJgnE=
=gRXP
-----END PGP SIGNATURE-----