(I'll try to start a new thread from the following quotes.)
On Sat, Nov 28, 2009 at 8:50 AM, Robert J. Hansen <r...@sixdemonbag.org> wrote:
> Matt wrote:
>> If I had a sufficiently good passphrase, would Google returning my
>> secret key as the first hit result for every search for a day still be
>> secure?
>
> "Secure" is not a very good word to use. It means so many different
> things to so many different people. "Secure" really means "in
> accordance with my security policies" -- the use of the word is
> inherently subjective.
Related to the same problem (strength of the secret key data
encryption measures), I've posted some months ago an email on the
scy.crypt Usenet group, but I didn't got a satisfactory (that is
factual) answer. (See below.)
Maybe someone could clear this out (at least from GnuPG part). (My
original post was related with both GnuPG an OpenSSH).
~~~~~~~~~~ Original post:
(I have a very basic question that to most of the persons reading
this news-group might seem trivial. But anyway...)
My concern (as stated in the subject) is related to the security
strength of GnuPG and OpenSSH secret / private keys in the following
context:
* the secret / private keys are encrypted by using a password that
only me (the owner) knows;
* an attacker is in possession of my secret / private key files;
* the attacker wants to gain access to the secret / private key
(thus being able to impersonate me);
* the attacker chooses as attack method to brute-force the files
off-line, by trying to guess my password;
* (by guessing the password I mean trying all possible passwords
that fit a given pattern; the password is not a dictionary word, but
instead is (truly) randomly created (i.e. DiceWare);)
The question is: what does GnuPG or OpenSSH do to slow down
password brute-force? I mean does the password derivation function use
some iterations? If so how many? Can I configure them? I guess so but
I couldn't find any data on the net on a quick search. (Any references
are appreciated.)
Also, how many bits of security should my password have in order
to withstand an attack from a small / medium enterprise? (Government
is out of the question as they could get access to my infrastructure
by force...)
Thank you for your patience and your wisdom,
Ciprian Craciun.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
