time delay unlock private key.
Johannes Zarl
johannes at zarl.at
Thu Jan 23 15:58:04 CET 2014
On Thursday 23 January 2014 15:34:17 Uwe Brauer wrote:
> A Long time ago, IBM's proprietary OS, called CMS had a particular
> feature for the login:
>
> It gave you three attempts to login in. If you failed there was a time
> delay of 20 min, if you failed again, the time delay was prolonged to
> one hour, and then I think to one day.
The same feature is implemented in some form in many/most contemporary login
systems as well, and it makes great sense for a login system.
The main reason this makes sense is that as a regular user you can't just
bypass the login screen and get direct access to the hashed password value.
> My private pgp and smime keys are secured by a password, but there is no
> time delay, which makes a brute force attack possible.
>
> Could a time delay be implemented similar to the one I just mentioned?
In contrast to the login screen example, a delay implemented by gnupg won't
help you in this case. Once an attacker has access to your private key, he or
she can try a brute-force attack against the passphrase using a patched
version of gnupg that does not implement the delay.
So in short:
- a delay won't help you
- protect your private key so this won't happen
- always use a strong passphrase
Cheers,
Johannes
More information about the Gnupg-users
mailing list