Interesting article on password guessing via cloud computing
vedaal at hush.com
vedaal at hush.com
Thu Nov 5 16:05:19 CET 2009
David Shaw <dshaw () jabberwocky ! com>
wrote on 2009-11-04 18:34:49 :
>This is not, of course, an OpenPGP "crack", but rather high-speed
>password guessing.
a trivial way to defeat this,
would be to provide each client with a pgp keypair,
(physically presented to the client upon the initial transaction
agreement),
and then encrypt the zipfile to a key and not even use a passphrase
what would be even more interesting,
is if it could be done in a way that truecrypt uses to protect its
encrypted volumes, where the user can choose to use a keyfile as
well as a passphrase, but it cannot be determined before decryption
if a keyfile, passphrase, both or only one, has been used
so, imagine if a client has a zipfile encrypted to both a trivial
password and to a pgp key, and it is not determinable from the
encrypted file itself, if it was encrypted to a key as well,
all the cloud computing resources available will merrily spin
themselves into exhaustion ubtil they decide that the passphrase is
'probably too long and complex to crack'
vedaal
More information about the Gnupg-users
mailing list