paperkey // ? feature request

vedaal at hush.com vedaal at hush.com
Wed Feb 11 00:19:11 CET 2009


>Message: 8
>Date: Tue, 10 Feb 2009 16:44:01 -0500
>From: "Robert J. Hansen" <rjh at sixdemonbag.org>
>Subject: Re: paperkey  // ? feature request

>> [1] 'very-important-secret' encrypted in ascii armored form to 
>> unpublished public key using throw-keyid option 
>
>So only someone with the private key can decrypt it.  Okay.  How 
>do you
>communicate the private key with your intended recipients?  And 
>how is
>communicating the private key with your intended recipients 
>different
>from the key distribution problem when using symmetric crypto?


no different,

but unless you choose a sufficiently long and random passphrase,
symmetric crypto with a passphrase string-2-key
is much less protected than when the session key is encrypted to an 
unknown asymmetric key

the former is attackable by attacking the passphrase,
the latter cannot be attacked without the keypair and the 
passphrase,
(and not vulnerable to any symmetric decryption 'shortcuts' like 
the pgp vulnerability described a few years ago)


>USB tokens have GUIDs, Globally Unique Identifiers.  Computers 
>keep
>track of what GUIDs they've seen.  If the secret police get access 
>to
>the PC, then they know "ah, someone used GnuPG on a USB token, 
>with a
>GUID of...", etc.  That USB token can now be connected to you.
>
>Okay, so the obvious tactic is to dispose of it. 
>  But how?  


there are probably many effective ways,

the first one that comes to mind:
burn it and dump the residue in a sewer


>Digital forensics is the field which concerns itself with pulling
>information you didn't believe existed out of places you didn't 
>believe
>it could be found.  Digital forensicists run the gamut from rank
>amateurs to hardcore professionals who can recover a CD-R that's 
>been
>put through a crosscut shredder.[2]
>
>DF is interesting stuff.  If you're serious about wanting to come 
>up
>with effective spy-versus-spy techniques, then I'd strongly 
>recommend
>reading up on DF.  The more you know about the capabilities of the
>people who are trying to recover your secrets, the more you'll 
>know
>about how to make life difficult on them.


ok, sounds interesting
what sources do you recommend reading ?


vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

--
Click here for free information on starting a business from your home.
 http://tagline.hushmail.com/fc/PnY6qxsXeyw2Yp1NS3ZvscqyI0wbyV70zrXUph7MCtlIltJuFZSv9/




More information about the Gnupg-users mailing list