On 01/23/2014 09:34 AM, Uwe Brauer wrote: > Hello > > A Long time ago, IBM's proprietary OS, called CMS had a particular > feature for the login: > > It gave you three attempts to login in. If you failed there was a time > delay of 20 min, if you failed again, the time delay was prolonged to > one hour, and then I think to one day. > > My private pgp and smime keys are secured by a password, but there is no > time delay, which makes a brute force attack possible. > > Could a time delay be implemented similar to the one I just mentioned?
Nope; the IBM system was an active system; the GnuPG private keyring is an on-disk data format. If the gnupg executable (which is an active system) were to implement its own timeout/falloff, anyone who wanted to crack the file in question would just recompile their own gnupg without that timeout/falloff, so it wouldn't be an effective countermeasure against an attacker. However, you can make each single attempt significantly more expensive by playing with the s2k-count argument (assuming a reasonable choice for s2k-mode and s2k-digest-algo and s2k-cipher-algo). See the manual page notes about those options for more details, and the specification's string-to-key section for a description of what those arguments do to the underlying data: https://tools.ietf.org/html/rfc4880#section-3.7 Regards, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
