surrendering one's passphrase to authorities

David Shaw dshaw at
Wed Mar 4 01:34:12 CET 2009

On Mar 3, 2009, at 6:04 PM, Atom Smasher wrote:

> On Tue, 3 Mar 2009, David Shaw wrote:
>>> This article caught my eye. One of the things that I gleaned from  
>>> the article is that it's obvious that law enforcement (at this  
>>> level) does not have the ability to brute-force crack PGP  
>>> encrypted data. Instead, the courts are attempting to force the  
>>> surrender of the passphrase.
>> Well, maybe.  It's also possible that law enforcement does have the  
>> ability to get into the encrypted data (by some means - I doubt  
>> brute force), but does not want the knowledge of that ability to be  
>> made public.
> ===================
> i would think the FBI (presuming that they're involved) would be  
> able to brute-force a pass-phrase in less than a year. they have the  
> disk, so in all likelihood the weakest link in the chain is the pass- 
> phrase (and that's assuming that there's no cache/tmp files that are  
> not encrypted).

Good point.  I was thinking about the session key, which is basically  
brute forcing proof.  The passphrase would indeed be an easier attack.

The lawyer discussion I posted ( 
) suggests that law enforcement did try to "guess" (his word) the  
passphrase.  Guessing could be anything from trying two or three  
passphrases before giving up to running a list of common passphrases  
against it.  For all we know, they're still running the passphrase  
guesser right now.


More information about the Gnupg-users mailing list