-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 25-07-2012 8:29, antispa...@sent.at escribió: > > On Wed, Jul 25, 2012, at 03:23, Faramir wrote: ... >>> Yes, security through obscurity. A possible attacker won't know >>> for ... >> I don't know why do you say security through obscurity. Private >> keys can be stored encrypted, so even if somebody steal them, the >> thieve ... > I keep the key on the same phisical drive as the encrypted > document. That's security through obscurity assuming the other one > won't know where to search for the key, which is not stored with > the right extension or in the most common place.
Not right, if your secret key is protected by a passphrase (or strong password), it doesn't matter if the attacker know where to find it. Actually, the attacked is very likely to know where it is, since probably it will be at the default folder. But finding it doesn't mean he can USE it, without the passphrase, it is just a "soup of bits". >> A hacker will know what key he needs to open a file, because the >> encrypted file say it, unless the sender selects hide recipient's >> key ... > So he or she will have to locate the right key. Reasonable would be > to keep the key away, at least on some removable media. Most of us want to keep our keys away from other people, and also keep them protected by a passphrase, in case the key falls in the wrong hands. The attacker needs 2 things: the key and the passphrase. It is a matter of making things harder for the attacker. >>> It employs far less characters. Yet it can be looong. How >>> about that? Is that any better? 45 ASCII lowercase with a >>> uppercase ASCII and a couple of signs is better than 16 random >>> alphanumerics and signs? >> >> I bet it is, as long as that 45 characters passphrase is not >> something that could be found on dictionaries, or combining >> dictionary words. But probably it is an overkill. Anyway, Keepass >> has a built in ... > If only dictionary attacks would be the the problem than any > longish verse from a popular band could do it. Just add a comma in > some weird place and you have broken even the lyrics hacker. Don't forget there can be attacks with dictionary and mutators. Of course, you can increase mutators until the attack becomes infeasible too (what is the point when a dictionary attack with mutators become a bruteforce attack?). Anyway, a good password should include uppercase and lowercase, numbers and special characters. One of each of these forces the attacker to increase the key space (even 1 special character forces the attacker to include them in the attack). Of course, there may be a sub-set of special characters known as "most used special characters". And of course, make it long enough a bruteforce attack is infeasible for your adversary. And what is infeasible for your adversary? Depends on your threat model. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQEJ3CAAoJEMV4f6PvczxAOLsH/24OaRbK88Z9GHtrFRItn/4F oRvZrmc7ldffOPjuduUdpuOY6QhYzfPew1c0o3+OsW5HlxkRtk9LdihcDLGRnUd7 bA5/VFy6fTxKxnW22GYwy2Ht2NNO+s/KVe9ZRK/LMCWHhvTAT/z1DVvu3i3sQadL DMMqOKdlouuuyKk0C8MCJX6siVx5HBCn/c8Eu/a+gWZSayQBIjnlJamD7fjhAuzh ze5VytLaNLrf2FXO9oJZ/1WPCSa2ICaTPqbtsli+Z4Q1UifwjqYYlY0+7h+T6LBa CAFtPh+kNsa0lqefusR/n9ytWeU3k7LiTCJnGGHqk3VykdyNkD1+eS8PWi6uG/k= =vAef -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users