private key protection

Derick Centeno dcenteno at ydl.net
Tue Oct 18 18:23:43 CEST 2011 

On 10/17/11 5:18 PM, takethebus at gmx.de wrote:
> Hi everybody,
> 
> what is the best way to protect 
> your private key from getting stolen?

Page 29 (http://www.gnupg.org/gph/en/manual.html#AEN513) of the Gnu
Privacy Handbook (http://www.gnupg.org/gph/en/manual.html)recommends a
strong passphrase to protect the key.  Another strategy is to create
sub-keys derived from the private key and use those sub-keys for signing
and encrypting anything.  This would also mean that you export the
public key of whichever sub-key you decide to use -- not your private
key.  As the use of the public sub-key cannot be used to derive the
private key utilizing the sub-key strategy may be the most sensible
strategy.
> 
> I think:
> 
> 1. Using gnupg on a windows PC with internet connection is not good, because there are too many trojans out there. 
In all fairness, the PC is as weak or strong as it's user.  In other
words, if you are not willing to do the "nitty-gritty and sometimes
research as relentless in nature as Indiana Jones - regarding how you
defend your operating system then believe it or not choosing Linux or
the Mac won't save you from your laziness.  Sorry, but that's the truth.

You have to have your own drive to master whatever technology
(mathematics, coding language, nuance and more) necessary to defend
yourself, your family and your property.  If you don't or won't make the
effort -- understand that this is exactly what those who create malware
rely upon.  The other crowd who rely on your "lack of will" are the
commercial entities who benefit from those who just want "someone else"
to handle the details and who are willing to pay for whatever appears
"on the shelf".
> 
> 2. Using gnupg on a linux PC with internet connection (like privatix, see http://www.mandalka.name/privatix/index.html.en ) is better since there are fewer(?) security holes and trojans out there. How big do you think is the thread? 
> 
IF you decide you are serious regarding Linux then Debian or Red Hat
remain the two you should rely upon.  Everyone else, follows them.  Of
course, if you are really brave and really know what you are doing then
Slackware is reliable.

Again don't rely on anyone, especially in Linux, to provide you with a
satisfactory and reliable defense if you have no clue as to how it
works, or how you can repair it should something go wrong or how to
improve it's reliability as hacking and threat environment's increase.


> 3. The best way is to have one PC connected to the internet and another, without an internet connection (missing network drivers and a fully encrypted hard disk for instance), which you use to decrypt and encrypt messages. You use an USB stick to carry messages from the internet PC to the one not connected to the net. If you don't have two PCs, you can use another USB stick with privatix without network drivers on it. 
> 
> Which software can I use under point 3 to put my messages in order (date, sender, etc.) on a linux system?
> 
> Most people use something like point 2, don't they?
> 
> Point 3 is the only satisfying to me, since I find it hard to judge the the thread in point 2. Additionally point 3 makes it easier to see when your key might have been stolen: If you see traces that someone broke into your house and searched everything for the hidden privatix USB stick. Only experts might notice a trojan under point 2. 
> 
> Thanks for answers, 
> Jan
> 


I think I recall seeing that question (3) on a Computer Science exam.
The truth, unfortunately, is that there is no "best way".
Unfortunately, there is another level of system attack which was used
successfully against HBGary and should be a tale elevated to the level
of Grimm's Fairy Tales until it seeps into the unconscious and conscious
level of each persons awareness.  Read this article and I'm sure you'll
get my point:
http://www.theregister.co.uk/2011/03/17/hbgary_anon_hacker_interview/

HBGary believed it's own hype regarding their sophistication and skills;
simply stated as a corporation they failed the same way or close enough
as the individual who believes s/he is a "legend - in their own mind".
The trap very similar to that limited thought is to believe that your
system is safe because it is isolated; in fact the weakness of your
system (regardless what you buy) is really -- you!

This side of the problem can be intuited by understanding how many
people fall the Nigerian or Russian or other scam ploy every day.
In other words, be aware of your own susceptibility to being tricked,
taken, and mislead such as when we are distracted.  It is one thing to
be enjoyably tricked at a magic show, quite another emotion is
experienced when your data is stolen and you have no clue how or why
until you realize that it was your fault for trusting so and so.

I have no intention of being overly discouraging as much as underlying
the fundamentals regarding why computer security, encryption methods,
etc. are constantly becoming more complex and involved.  There really is
only one reasonable approach: dive in and master the details yourself.
You wouldn't trust a used car salesperson or insurance guy to tell you
everything is fine, right?  You've got to know quite a bit to know when
you are being "taken", right?  Well, technology is no different.  In
some ways, it's harder because a lot of people don't want to work that hard.

If you remember however that both criminals and commercial markets are
depending upon that natural laziness which we each have -- you may have
a chance of developing your own incentive to learn and master what you
must and maybe a little more.  That is the best defense.

All the best...



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111018/dde4a354/attachment.pgp>

More information about the Gnupg-users mailing list