time delay unlock private key.

Johannes Zarl johannes at zarl.at
Thu Jan 23 15:58:04 CET 2014


On Thursday 23 January 2014 15:34:17 Uwe Brauer wrote:
> A Long time ago, IBM's proprietary  OS, called CMS had a particular
> feature for the login:
> 
> It gave you three attempts to login in. If you failed there was a time
> delay of 20 min, if you failed again, the time delay was prolonged to
> one hour, and then I think to one day.

The same feature is implemented in some form in many/most contemporary login 
systems as well, and it makes great sense for a login system.

The main reason this makes sense is that as a regular user you can't just 
bypass the login screen and get direct access to the hashed password value.

> My private pgp and smime keys are secured by a password, but there is no
> time delay, which makes a brute force attack possible.
> 
> Could a time delay be implemented similar to the one I just mentioned?

In contrast to the login screen example, a delay implemented by gnupg won't 
help you in this case. Once an attacker has access to your private key, he or 
she can try a brute-force attack against the passphrase using a patched 
version of gnupg that does not implement the delay.

So in short:
 - a delay won't help you
 - protect your private key so this won't happen
 - always use a strong passphrase

Cheers,
  Johannes



More information about the Gnupg-users mailing list