time delay unlock private key.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jan 23 16:01:23 CET 2014

On 01/23/2014 09:34 AM, Uwe Brauer wrote:
> Hello
> A Long time ago, IBM's proprietary  OS, called CMS had a particular
> feature for the login:
> It gave you three attempts to login in. If you failed there was a time
> delay of 20 min, if you failed again, the time delay was prolonged to
> one hour, and then I think to one day.
> My private pgp and smime keys are secured by a password, but there is no
> time delay, which makes a brute force attack possible.
> Could a time delay be implemented similar to the one I just mentioned?

Nope; the IBM system was an active system; the GnuPG private keyring is
an on-disk data format.  If the gnupg executable (which is an active
system) were to implement its own timeout/falloff, anyone who wanted to
crack the file in question would just recompile their own gnupg without
that timeout/falloff, so it wouldn't be an effective countermeasure
against an attacker.

However, you can make each single attempt significantly more expensive
by playing with the s2k-count argument (assuming a reasonable choice for
s2k-mode and s2k-digest-algo and s2k-cipher-algo).

See the manual page notes about those options for more details, and the
specification's string-to-key section for a description of what those
arguments do to the underlying data:




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140123/c8152d43/attachment.sig>

More information about the Gnupg-users mailing list