NULL passphrase. Secure?

[John Clizbe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Carrera wrote:
>
> A null passphrase means that all an attacker needs to do is obtain the
> private key from the victim's hard drive.  How difficult is that?  Is it
> difficult enough that regular users can afford to not worry about it?

How difficult? Not at all, all you have to do is ask. See Adrian von
Bidder's post to the keyserver-folk list from August 2002 (This was
discussing PGP specifically, but is applicable to all encryption - even
X.509 certs).

- -------- Original Message --------
Subject: [Pgp-keyserver-folk] Re: pgp.com
Date: 29 Aug 2002 08:47:53 +0200
From: Adrian 'Dagurashibanipal' von Bidder <avbidder@fortytwo.ch>
To: pgp-keyserver-folk@flame.org


I guess after 9-11 and with the right paranoia marketing (they should
hire some marketing freak from mcaffee etc.), I guess you could get
quite a number of mainstream users get to use pgp, iff the user
interface is simple enough.

Problem of course that these users would have absolutely no clue about
how to use a cryptosystem in a safe manner, so I'd expect the number of
'exploits' against the openpgp system to be comparable to the number of
msword macro viruses. Yes, I can definitely see it coming...

ANALYZE YOUR PGP KEY SECURITY

Hi!

As you may have heard, a research institute made a huge mathematical
breakthrough in prime number computation a few weeks a ago. As prime
numbers are the basics of encryption systems like PGP, this may affect
the security of your encrypted or signed documents and emails.

WATERTIGHTKEYS Inc., offers you the unique possibility to have your PGP
key analyzed, and provides a CERTIFICATE OF SECURITY in the likely event
that your key is not made vulnerable through this new discovery.

To analyze your key, we will unfortunately need both your private and
your public key, but luckily the password of your private key is not
needed, so you can be ensured that your key will never be compromised.
Furthermore, WATERTIGHTKEYS Inc. guarantees that your key is only stored
as long as needed for the analysis, and completely deleted from all our
systems after sending you the certificate.

To get your FREE CERTIFICATE RIGHT NOW, mail your public and private key
pair to PRIMENUMBERATTACK@WATERTIGHTKEYS.COM, or visit
http://www.watertightkeys.com for more information.

Respectfully yous,
Dr. Howard J.E.R.K. Watson
CEO WATERTIGHTKEYS, Inc.

- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+yjeVHQSsSmCNKhARAhe5AJ0WWMlZHD0gP602wF16oMgW3HzhHwCg66Ou
2LnlcXe2+HYCwAGlRO0571g=
=cW/N
-----END PGP SIGNATURE-----