NULL passphrase. Secure?

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Mon May 19 08:50:02 2003


--Boundary-02=_s7Hy+4jsaasoDsN
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Monday 19 May 2003 05:22, Daniel Carrera wrote:

> A null passphrase means that all an attacker needs to do is obtain the
> private key from the victim's hard drive.  How difficult is that?  Is it
> difficult enough that regular users can afford to not worry about it?

As it is now, I'd say on a non-networked, non-telnettable etc. machine, the=
=20
chances of anybody getting the private key is quite low.

As soon as a significant number of people start using convenience encryptio=
n=20
like that with some popular mailer, key theft will appear on the script=20
kiddie radar and some trojan will be modified to collect private keys. I ra=
te=20
the chance of this happening to almost 100%

Of course, AOL putting up big signs saying 'AOL will never ask for your=20
password' doesn't stop some people from sending their passwords to any=20
passing stranger, so even with password protected secret keys, there'll be=
=20
some attack to reap keys+passphrases, so you can argue that using unprotect=
ed=20
pricate keys does no greater damage...

=2D- vbi

=2D-=20
"Eat, drink, and be merry, for tomorrow you may work."

--Boundary-02=_s7Hy+4jsaasoDsN
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iKcEABECAGcFAj7IfuxgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi
YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWbsEAnirgn3P+WP/OzuFLMm8dRWtW
NCnFAJ9dUlP2aiPiwIYvKsgzpey9/MTyDA==
=6XLG
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab

--Boundary-02=_s7Hy+4jsaasoDsN--