private key protect cipher
Thu Mar 27 20:18:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, Mar 27, 2003 at 08:05:32AM -1000, Maxine Brandt wrote:
> Thanks David. Taking it a step further, is the strength of the session key
> directly related to password strength? I'm thinking: OK I have a 128-bit
> random-character password to open my private key, but does this give
> me 256-bit security when I use Twofish or AES256 for messaging?
Not exactly. The session key is (assuming you have a decent random
number generator) full strength for whatever cipher you are using, so
if you are using TWOFISH or AES256 then you do get the whole 256 bits.
That session key is encrypted with the public key of your recipient.
Your recipient decrypts their private key, and uses it to decrypt the
session key, and uses that to decrypt the message.
If you look at this end to end, then the weakest spot is still the
passphrase, but unless the attacker can get to your local system and
steal your private key, there is no way take advantage of this.
Without getting ahold of the private key, the weak point is either the
public key encryption or the (256-bit) symmetric encryption.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
-----END PGP SIGNATURE-----