GPG keys for multiple email accounts
Robert J. Hansen
rjh at sixdemonbag.org
Sun Jul 7 23:19:02 CEST 2013
On 07/07/2013 01:02 PM, Heinz Diehl wrote:
> This very much depends on how important the encrypted information is
> considered to be.
Find me some verifiable instance of OpenPGP passphrases being
brute-forced and I'll take this seriously. Until then, I will continue
to treat brute-forcing as the myth I'm almost certain it is. I like to
assume an attacker is at least as smart as I am. If I'm smart enough to
see that brute-forcing has really bad odds of success, why would I waste
time when there are so many better avenues of attack available?
I need your secret key and passphrase I'd start by hiring a
thousand-dollar-a-night hooker for a week and point her in your
direction, with a $5,000 bonus if she's able to get your key and
passphrase without you noticing. Simple, cheap and effective. I might
have her plant a keylogger while she's in your bedroom. Or I might try
and nab you via a carefully-prepared spearphish, or get you on a
drive-by as you surf the web, or... etc., etc.
It makes absolutely no sense to brute-force a passphrase when it's so
easy to compromise the communication endpoint. That's where the real
work lies -- not in talk about making something resistant to brute-forcing.
>> Further, who cares if the number of bits in different parts of the
>> system aren't balanced?
>
> For some ciphers (incl. AES), a smaller key size means
> "faster".
This is irrelevant to the discussion. If a cipher isn't fast enough for
your purposes then don't choose it. It has nothing to do with whether
the entropy in a system is "balanced".
More information about the Gnupg-users
mailing list