Traveling without a secret key

Andrew Gallagher andrewg at andrewg.com
Wed Jul 8 13:12:18 CEST 2020


Entropy checkers only provide an *estimate* of randomness, at best an upper bound. Once you know that someone has used a particular key expansion algorithm, the entropy estimate can go down dramatically. This is because randomness is a measure of ignorance, and new information changes the calculation (cf the Monty Hall problem).

Andrew Gallagher

> On 8 Jul 2020, at 11:53, Stefan Claas <sac at 300baud.de> wrote:
> 
> Ingo Klöcker wrote:
> 
>>> On Dienstag, 7. Juli 2020 22:42:07 CEST Stefan Claas wrote:
>>> Let's say you travel a lot and do not want to risk that your secret key
>>> gets compromised due to border control etc.
>>> 
>>> One simply uses the program passphrase2pgp, from GitHub[1] and when creating
>>> the key and the passphrase is needed, one simply issues:
>>> 
>>> echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
>>> and then one gets a string with an entropy of over 200, which is more than
>>> secure. This would one IMHO allow to have a strong passphrase but generated
>>> with an easy to remember password.
>> 
>> I'm sorry, but you cannot increase the entropy of "simple password" by hashing 
>> it. What you propose is "security by obscurity". And that was never a good 
>> idea.
> 
> Well, if I use a simple password like: 'Holidays Day 1' and run it through:
> 
> http://rumkin.com/tools/password/passchk.php for example
> 
> it gives an entropy of 62.6 bits.
> 
> If I use now this simple password and run it through my program the result is:
> 
> e|}]2$8$lI#:#h%|$}ody&qD6h#$RT;$L4^qm??D (sha256+base91)
> 
> and 
> 
> C9+v21t+2y8atf5y+Yj/TqHenVC//q20WbjzM+jtcLA= (sha256+base64)
> 
> which gives an entropy of 192.3 and 234.2.
> 
> Regards
> Stefan
> 
> -- 
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 



More information about the Gnupg-users mailing list