On 10/17/11 5:18 PM, takethe...@gmx.de wrote: > Hi everybody, > > what is the best way to protect > your private key from getting stolen?
Page 29 (http://www.gnupg.org/gph/en/manual.html#AEN513) of the Gnu Privacy Handbook (http://www.gnupg.org/gph/en/manual.html)recommends a strong passphrase to protect the key. Another strategy is to create sub-keys derived from the private key and use those sub-keys for signing and encrypting anything. This would also mean that you export the public key of whichever sub-key you decide to use -- not your private key. As the use of the public sub-key cannot be used to derive the private key utilizing the sub-key strategy may be the most sensible strategy. > > I think: > > 1. Using gnupg on a windows PC with internet connection is not good, because > there are too many trojans out there. In all fairness, the PC is as weak or strong as it's user. In other words, if you are not willing to do the "nitty-gritty and sometimes research as relentless in nature as Indiana Jones - regarding how you defend your operating system then believe it or not choosing Linux or the Mac won't save you from your laziness. Sorry, but that's the truth. You have to have your own drive to master whatever technology (mathematics, coding language, nuance and more) necessary to defend yourself, your family and your property. If you don't or won't make the effort -- understand that this is exactly what those who create malware rely upon. The other crowd who rely on your "lack of will" are the commercial entities who benefit from those who just want "someone else" to handle the details and who are willing to pay for whatever appears "on the shelf". > > 2. Using gnupg on a linux PC with internet connection (like privatix, see > http://www.mandalka.name/privatix/index.html.en ) is better since there are > fewer(?) security holes and trojans out there. How big do you think is the > thread? > IF you decide you are serious regarding Linux then Debian or Red Hat remain the two you should rely upon. Everyone else, follows them. Of course, if you are really brave and really know what you are doing then Slackware is reliable. Again don't rely on anyone, especially in Linux, to provide you with a satisfactory and reliable defense if you have no clue as to how it works, or how you can repair it should something go wrong or how to improve it's reliability as hacking and threat environment's increase. > 3. The best way is to have one PC connected to the internet and another, > without an internet connection (missing network drivers and a fully encrypted > hard disk for instance), which you use to decrypt and encrypt messages. You > use an USB stick to carry messages from the internet PC to the one not > connected to the net. If you don't have two PCs, you can use another USB > stick with privatix without network drivers on it. > > Which software can I use under point 3 to put my messages in order (date, > sender, etc.) on a linux system? > > Most people use something like point 2, don't they? > > Point 3 is the only satisfying to me, since I find it hard to judge the the > thread in point 2. Additionally point 3 makes it easier to see when your key > might have been stolen: If you see traces that someone broke into your house > and searched everything for the hidden privatix USB stick. Only experts might > notice a trojan under point 2. > > Thanks for answers, > Jan > I think I recall seeing that question (3) on a Computer Science exam. The truth, unfortunately, is that there is no "best way". Unfortunately, there is another level of system attack which was used successfully against HBGary and should be a tale elevated to the level of Grimm's Fairy Tales until it seeps into the unconscious and conscious level of each persons awareness. Read this article and I'm sure you'll get my point: http://www.theregister.co.uk/2011/03/17/hbgary_anon_hacker_interview/ HBGary believed it's own hype regarding their sophistication and skills; simply stated as a corporation they failed the same way or close enough as the individual who believes s/he is a "legend - in their own mind". The trap very similar to that limited thought is to believe that your system is safe because it is isolated; in fact the weakness of your system (regardless what you buy) is really -- you! This side of the problem can be intuited by understanding how many people fall the Nigerian or Russian or other scam ploy every day. In other words, be aware of your own susceptibility to being tricked, taken, and mislead such as when we are distracted. It is one thing to be enjoyably tricked at a magic show, quite another emotion is experienced when your data is stolen and you have no clue how or why until you realize that it was your fault for trusting so and so. I have no intention of being overly discouraging as much as underlying the fundamentals regarding why computer security, encryption methods, etc. are constantly becoming more complex and involved. There really is only one reasonable approach: dive in and master the details yourself. You wouldn't trust a used car salesperson or insurance guy to tell you everything is fine, right? You've got to know quite a bit to know when you are being "taken", right? Well, technology is no different. In some ways, it's harder because a lot of people don't want to work that hard. If you remember however that both criminals and commercial markets are depending upon that natural laziness which we each have -- you may have a chance of developing your own incentive to learn and master what you must and maybe a little more. That is the best defense. All the best...
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users