revoke key with forgotten passphrase from keyservers

Newton Hammet newton at hammet.net
Tue Feb 24 16:31:48 CET 2004


Hello Fellow unfortunate owner of a nice public key that is sitting
out there silently rotting in key-server purguratory.

I too, have a nicely signed, well-formed public key out there. Along with
a hard copy revoke certificate and a floppy disk and hard copy base64
copy of the key itself in a nice folder I created an overly long pass
phrase which was probably cryptographically secure but horrible to keep
track
of when typing into gpg.  Eventually I forgot the pass phrase.

So now I created a new public key , this time with a 16-character
passphrase composed of basically nonsense stuff.  (I will probably change
it by
creating a new one using /dev/random).

But I also did this.  I changed the password to my box to be the same
as the gpg passphrase.  Since I log in at least once a day but do not
send signed email or receive email encrypted with the new public key
as often as once a day, at least I have a better chance of remembering
the passphrase.

So I have created a balance between having a totally cryptographically
secure pass phrase and one I am not likely to forget or be frustrated
in making a single key stroke error in the middle of typing a 50+
character passphrase.

So ... I say live with your dirty laundry sitting out there in public key
feafdom and create another key with a process in place to keep you from
forgetting it.

Hope this helps

Regards,
Newton









> Hello gnupg-users,
>
> I've once forgotten the passphrase of a PGP key and created a new one.
> Unfortunately I just realized that I've uploaded this old key to a
> keyserver and no expiration date is set.
>
> So, I'm looking for a way to retain the passphrase by doing a
> dictionary attack with combinations of words/parts that I could remember.
>
> I found pgpcrack, but it does not run on WinXP and though I got the
> source I did not manage to compile it in cygwin, so I look in general
> for information on what to do.
>
> Is the pgpcrack way a good starting point? should I try harder to
> compile it?
>
> .-----[ pgpcrack-readme ]-----
> |
> | Secret key cracking works quite a bit differently.  After the
> | passphrase is hashed, the IV and each encrypted MPI are decrypted in
> | IDEA-CFB mode.  Then a simple checksum is calculated over the
> | plaintext of each MPI (the checksum is not calculated over N and E).
> | The checksum calculation includes the length fields of each MPI.  The
> | checksum algorithm consists of a running addition of every byte.  The
> | output is a 16-bit integer.  The output is then compared with the
> | unencrypted checksum stored in the secret key file.
> |
> '-------------------
>
> Or is it better to use gpg and a script that passes the
> variations/combinations of passphrases I want to try and check for
> successful execution. Thought about using
> ----->8--------------------------------------------------------
> gpg -u 45FDCE5B --passphrase-fd 0 --sign text.txt < filepassphrase
> ----->8--------------------------------------------------------
> but that seems not to be very performant.
>
> I think it would be futile to write to keyserver admins and please them
> to remove the key (though it has my domain as email address), isn't it?
>
> Hope that you can help..
>
>
> --
> shinE!
> http://www.thequod.de ICQ#152282665
> GnuPG/PGP key: http://thequod.de/danielhahler.asc
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>




More information about the Gnupg-users mailing list