time delay unlock private key.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Jan 23 16:01:23 CET 2014
On 01/23/2014 09:34 AM, Uwe Brauer wrote:
> Hello
>
> A Long time ago, IBM's proprietary OS, called CMS had a particular
> feature for the login:
>
> It gave you three attempts to login in. If you failed there was a time
> delay of 20 min, if you failed again, the time delay was prolonged to
> one hour, and then I think to one day.
>
> My private pgp and smime keys are secured by a password, but there is no
> time delay, which makes a brute force attack possible.
>
> Could a time delay be implemented similar to the one I just mentioned?
Nope; the IBM system was an active system; the GnuPG private keyring is
an on-disk data format. If the gnupg executable (which is an active
system) were to implement its own timeout/falloff, anyone who wanted to
crack the file in question would just recompile their own gnupg without
that timeout/falloff, so it wouldn't be an effective countermeasure
against an attacker.
However, you can make each single attempt significantly more expensive
by playing with the s2k-count argument (assuming a reasonable choice for
s2k-mode and s2k-digest-algo and s2k-cipher-algo).
See the manual page notes about those options for more details, and the
specification's string-to-key section for a description of what those
arguments do to the underlying data:
https://tools.ietf.org/html/rfc4880#section-3.7
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140123/c8152d43/attachment.sig>
More information about the Gnupg-users
mailing list