lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 11 Dec 2003 23:22:09 +0000 (GMT)
From: Matthew Wakeling <mnw21-bugtraq@...pleads.com>
To: Thor <thor@...merofgod.com>
Cc: bugtraq@...urityfocus.com
Subject: PGP secret keys (was Re: Dell BIOS DoS)



On Wed, 10 Dec 2003, Thor wrote:
> Is a weak passphrase more easily exploited with the presense of the key ring
> vs direct attack against the encrypted data?  Stuff like that...
>
> Anyone have any insight?

Well, a few weeks ago, I forgot my PGP secret key passphrase. I'm not the
best C programmer in the world (my job is programming in Java), but it
didn't take me very long to extend GnuPG to do parallelised passphrase
cracking. With the job spread between 14 multi-GHz CPUs in various
machines, it was capable of about 10,000 passphrases per second (ie.
slow, and I didn't see much leeway in the code for improvement). The
system didn't need any encrypted text - it was purely a crack
against the secret key encryption. By using special knowledge that I had
about the nature of the passphrase (how many characters, what approximate
characters it used and where), I calculated that it would take about a day
to find the passphrase.

And then I remembered that I had changed it to something else, which my
cracking program would never have found in a hundred years. Oh well. At
least I remembered the passphrase.

To answer your question, the weakest part of the PGP encryption system is
the passphrase. Having access to the secret key file reduces the
difficulty of cracking encrypted text from what computer scientists term
"difficult" to merely "computationally intensive", depending on the
passphrase that you have.

Matthew

-- 
"Argue not with dragons, for thou art crunchy and go well with brie."
                                                           -- Unknown

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ