Re: Why revoke a key?
On 2011-10-11 13:25, Ivan Shmakov wrote: That's used to be Moore's [1]. This is why I hated physics: Everything is named after someone. It's also why I picked computer science. Oh... -- Q: What is your secret word? A: That's right. Q: What's right? A: Yes. Q: Sir, you're going to have to tell me your secret word. A: What? Q: I said please tell me your secret word. A: What? Q: What's your secret word? A: Yes. Q: Sorry, yes is not your secret word. You have two more chances. A: I said what? Q: Yes. A: Right, so you admit I said it. Q: No, you said yes. A: No, what! Q: When? A: When you asked for my secret word! Q: What? A: Yes! Q: I'm sorry, that's incorrect. You have one more chance to say your secret word. A: I'd like to speak to your supervisor. Q: Very well, I'll transfer you. His name is Hu. (http://boingboing.net/2010/05/03/fun-with-a-banks-sec.html) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
Thanks for all the good advice, Jan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
On 2011-10-10 23:29, Jan Janka wrote: How long would it take to execute a successful brute force attack on a pasphrase consisting of 12 symbols (symbols available on common keyboards)? Calculate how many combinations there are, assume some number of tries per second (you can experimentally find this out), and there you go. But remember Murphy's(?) law! -- (I mean the one about doubling computer power every 18 months -- are there two Murphy's laws? Confused now...) You can measure the strength of your password in bits of entropy, which is basically the log base 2 of the number of combinations. So if there are 64 possible combinations (a single alphanum case-sensitive password-ish) then you have 6 bits of entropy. In the diceware FAQ at www.diceware.com you can find info about how long a password with a given number of bits is supposed to be secure. Also some tips on how to pick a memorizable secure passphrase. If the attacker only got the passphrase and not the private key, I can simply change the passphrase to be secure again. Right? So I'd say my key is compromised if I think an attacker got BOTH, the passphrase AND the key. Yes but remember the attacker might get at an old version of your key that still used the old passphrase. -- Q: What is your secret word? A: That's right. Q: What's right? A: Yes. Q: Sir, you're going to have to tell me your secret word. A: What? Q: I said please tell me your secret word. A: What? Q: What's your secret word? A: Yes. Q: Sorry, yes is not your secret word. You have two more chances. A: I said what? Q: Yes. A: Right, so you admit I said it. Q: No, you said yes. A: No, what! Q: When? A: When you asked for my secret word! Q: What? A: Yes! Q: I'm sorry, that's incorrect. You have one more chance to say your secret word. A: I'd like to speak to your supervisor. Q: Very well, I'll transfer you. His name is Hu. (http://boingboing.net/2010/05/03/fun-with-a-banks-sec.html) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
Jerome Baum jerome+per...@jeromebaum.com writes: On 2011-10-10 23:29, Jan Janka wrote: How long would it take to execute a successful brute force attack on a pasphrase consisting of 12 symbols (symbols available on common keyboards)? Calculate how many combinations there are, assume some number of tries per second (you can experimentally find this out), and there you go. But remember Murphy's(?) law! -- (I mean the one about doubling computer power every 18 months -- are there two Murphy's laws? Confused now...) That's used to be Moore's [1]. On a second thought, I guess that /both/ of them are to be considered when it comes to information security. [1] http://en.wikipedia.org/wiki/Moore's_law […] -- FSF associate member #7257 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
On 10/10/2011 5:44 PM, Jerome Baum wrote: But remember Murphy's(?) law! -- (I mean the one about doubling computer power every 18 months -- are there two Murphy's laws? Confused now...) Moore's Law. For reference, a 40-bit key is breakable today by just about anyone, a 64-bit key is breakable today by people with access to significant computational resources (hundreds of machines), and it's plausible to believe fantastically wealthy adversaries can break 80-bit keys. In 1998, EFF's DEEP CRACK exhausted a 56-bit keyspace in roughly 24 hours at a cost of $250,000. Assuming Moore's Law holds true, that means it could be built today with equivalent performance for about $1,000. A 64-bit keyspace is only a factor of 250 harder: a DEEP CRACK/64 could theoretically be made at a cost of $250,000. An 80-bit keyspace is a factor of 50,000 harder, more or less, putting the price of that at $12 billion, somewhere in there. This is really rough back-of-the-envelope calculation, but it passes my sniff test. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
On Mon, Oct 10, 2011 at 5:44 PM, Jerome Baum jerome+per...@jeromebaum.com wrote: On 2011-10-10 23:29, Jan Janka wrote: How long would it take to execute a successful brute force attack on a pasphrase consisting of 12 symbols (symbols available on common keyboards)? Calculate how many combinations there are, assume some number of tries per second (you can experimentally find this out), and there you go. But remember Murphy's(?) law! -- (I mean the one about doubling computer power every 18 months -- are there two Murphy's laws? Confused now...) You can measure the strength of your password in bits of entropy, which is basically the log base 2 of the number of combinations. So if there are 64 possible combinations (a single alphanum case-sensitive password-ish) then you have 6 bits of entropy. In the diceware FAQ at www.diceware.com you can find info about how long a password with a given number of bits is supposed to be secure. Also some tips on how to pick a memorizable secure passphrase. A very important distinction must be made between randomly-generated passwords and human-generated passwords. Based on a NIST study on password entropy[1], a 12 character password has only about 24 bits of entropy. Of course, if you're careful about your passphrase generation schemes, you can probably achieve higher than that while still generating your own password. If you value your OpenPGP key, I would not trust it to 24 bits of entropy. My off-card backup of my key is protected by a 32-character passphrase that I believe to be highly resistant to dictionary attack (and contains sufficient special characters that I believe its entropy to be close to the optimal 6.5 bits per symbol). But perhaps I'm delusional. [1] http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf -- David Tomaschik, RHCE, LPIC-1 System Administrator/Open Source Advocate OpenPGP: 0x5DEA789B http://systemoverlord.com da...@systemoverlord.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
David Tomaschik wrote (in part): If you value your OpenPGP key, I would not trust it to 24 bits of entropy. My off-card backup of my key is protected by a 32-character passphrase that I believe to be highly resistant to dictionary attack (and contains sufficient special characters that I believe its entropy to be close to the optimal 6.5 bits per symbol). But perhaps I'm delusional. I do not know about delusional. But in a sense, was it not unwise to tell me your passphrase length? I will now set up my hypothetical exhaustive search cracker not to bother with passphrases less than 32 characters or longer than 32 characters. This reduces the size of the search space I must examine. Of coarse, the shorter ones can be tested faster than the longer ones. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:35:01 up 4 days, 18:08, 4 users, load average: 5.13, 5.25, 5.22 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
On 10/11/11 9:41 AM, Jean-David Beyer wrote: But in a sense, was it not unwise to tell me your passphrase length? I will now set up my hypothetical exhaustive search cracker not to bother with passphrases less than 32 characters or longer than 32 characters. This reduces the size of the search space I must examine. Of coarse, the shorter ones can be tested faster than the longer ones. Not really. Imagine if you knew his passphrase was a number, but not how long it was. Now he tells you, it's a seven-digit number. Okay, fine: you can exclude all six-digit numbers (900,000 of them), all five-digit numbers (90,000 of them), all four-digit numbers (9,000 of them), all three-digit numbers (900 of them), all two-digit numbers (90 of them) and all one-digit numbers (ten of them) [*]. You've excluded 900,000 + 90,000 + 9,000 + 900 + 90 + 10 = one million total numbers out of the possible ten million. You've reduced the keyspace by 10%. If his passphrase has zero margin of safety, he's done something foolish: his passphrase no longer meets his entropy requirements. On the other hand, if his passphrase is longer than necessary to meet his requirements, he can afford to throw out 10% of the potential keyspace without losing any sleep. What he's done here is pretty much exactly what I've described, just in a different numerical base. Tell you what: I'll put my money where my mouth is. The low-order bits of the primes that comprise my private key are both '1'. Doesn't help you out very much, does it? ;) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
-- Forwarded message -- From: Robert J. Hansen r...@sixdemonbag.org To: Jerome Baum jerome+per...@jeromebaum.com, gnupg-users@gnupg.org Date: Tue, 11 Oct 2011 08:27:47 -0400 Subject: Re: Why revoke a key? On 10/10/2011 5:44 PM, Jerome Baum wrote: But remember Murphy's(?) law! -- (I mean the one about doubling computer power every 18 months -- are there two Murphy's laws? Confused now...) Moore's Law. For reference, a 40-bit key is breakable today by just about anyone, a 64-bit key is breakable today by people with access to significant computational resources (hundreds of machines), and it's plausible to believe fantastically wealthy adversaries can break 80-bit keys. In 1998, EFF's DEEP CRACK exhausted a 56-bit keyspace in roughly 24 hours at a cost of $250,000. Assuming Moore's Law holds true, that means it could be built today with equivalent performance for about $1,000. A 64-bit keyspace is only a factor of 250 harder: a DEEP CRACK/64 could theoretically be made at a cost of $250,000. An 80-bit keyspace is a factor of 50,000 harder, more or less, putting the price of that at $12 billion, somewhere in there. This is really rough back-of-the-envelope calculation, but it passes my sniff test. -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Somewhat outdated, but here is a webpage that makes some comparisons. They don't give the bitsize of the keys, just the number of combinations, but it is still representative. http://www.lockdown.co.uk/?pg=combi Some other interesting, but likely outdated, discussions: http://news.electricalchemy.net/2009/10/password-cracking-in- cloud-part-5.html http://news.electricalchemy.net/2009/10/cracking-passwords-in- cloud.html -- discusses PGP Avi -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) - GPGshell v3.77 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iJgEAREKAEAFAk6UWfc5GGh0dHA6Ly9wZ3AubmljLmFkLmpwL3Brcy9sb29rdXA/ b3A9Z2V0JnNlYXJjaD0weEY4MEUyOUY5AAoJEA1isBn4Din5gXcBAJhFPQdzW6Xm +yGodASC7eBNvkyE67/eHZZK+xLWe+faAP4ghpRCy6ryU8F0Yz65JmzEmmpyFGKw vuJ2Oxoq7UTO+g== =Fdds -END PGP SIGNATURE- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
On 2011-10-11 16:54, Robert J. Hansen wrote: Okay, fine: you can exclude all six-digit numbers (900,000 of them), all five-digit numbers (90,000 of them), all four-digit numbers (9,000 of them), all three-digit numbers (900 of them), all two-digit numbers (90 of them) and all one-digit numbers (ten of them) [*]. You've excluded 900,000 + 90,000 + 9,000 + 900 + 90 + 10 = one million total numbers out of the possible ten million. You've reduced the keyspace by 10%. That 10% really depends on what you are revealing. Consider a 256-bit key. Telling you that it's proper 256 bits (i.e. MSB is 1) I've just halved the search space. I'd guess that revealing that a single base-n digit is non-zero you loose 1/n of the keyspace (base-10: 10%, base-2: 50%). Let's see: given m base-n digits, the keyspace has n^m elements. Revealing one of those digits to be non-zero, the search space is reduced to (n-1)*n^(m-1), so you've lost n^m-(n-1)*n^(m-1) items from your keyspace. That's (n^m-(n-1)*n^(m-1))/n^m of your keyspace, i.e. 1-(n-1)/n = 1/n. So the bit case is the worst-case, and even though I'm paranoid enough for a 4096-bit pubkey, I can sleep well when a 256-bit symmetric key is really worth 255 bits. :-) P.S. where did the [*] go? If his passphrase has zero margin of safety, he's done something foolish: his passphrase no longer meets his entropy requirements. On the other hand, if his passphrase is longer than necessary to meet his requirements, he can afford to throw out 10% of the potential keyspace without losing any sleep. What he's done here is pretty much exactly what I've described, just in a different numerical base. Tell you what: I'll put my money where my mouth is. The low-order bits of the primes that comprise my private key are both '1'. Doesn't help you out very much, does it? ;) Oh, also, this! -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
When you start a new topic please create a new message, don't just reply to an old one and change the subject. Doing the latter causes your message to be hidden under the old ones for those of us who use threaded mail readers. On 10/09/2011 14:30, takethe...@gmx.de wrote: Hi everybody, in which cases should I revoke a key in general? Let's say I have my private key on an USB stick and lose the stick somewhere in public. The key is protected by the mantra. I'm sure, nobody knows the mantra except me. Should I revoke the key or could I keep on working with a copy of it? You already got good answers to this question, it depends on how much other people are depending on the security of your key. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
Original-Nachricht Datum: Sun, 09 Oct 2011 18:52:30 -0400 Von: Robert J. Hansen r...@sixdemonbag.org An: gnupg-users@gnupg.org Betreff: Re: Why revoke a key? Let's say I have my private key on an USB stick and lose the stick somewhere in public. The key is protected by the mantra. I'm sure, nobody knows the mantra except me. Should I revoke the key or could I keep on working with a copy of it? Depends on how strong the passphrase is. I've often said that I'm willing to publish my private key in the _New York Times_, if someone is willing to pay for it. With a strong passphrase, someone getting access to your private key is not a big deal so long as you can guarantee they will never get access to your passphrase. How long would it take to execute a successful brute force attack on a pasphrase consisting of 12 symbols (symbols available on common keyboards)? If the attacker only got the passphrase and not the private key, I can simply change the passphrase to be secure again. Right? So I'd say my key is compromised if I think an attacker got BOTH, the passphrase AND the key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why revoke a key?
Hi everybody, in which cases should I revoke a key in general? Let's say I have my private key on an USB stick and lose the stick somewhere in public. The key is protected by the mantra. I'm sure, nobody knows the mantra except me. Should I revoke the key or could I keep on working with a copy of it? I'm grateful for your answers. Thanks, Jan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
On 09-10-2011 23:30, takethe...@gmx.de wrote: in which cases should I revoke a key in general? If you think it may be compromised. Let's say I have my private key on an USB stick and lose the stick somewhere in public. The key is protected by the mantra. I'm sure, nobody knows the mantra except me. Should I revoke the key or could I keep on working with a copy of it? That depends on your thread model and the strength of the secret key password. It happened once to me (key on a backup CD-ROM in a bag that got stolen, but unlikely by someone particulary interested in my keys. However, I still revoked it yo be sure. -- Met vriendelijke groet / With kind regards, Johan Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
On 10/9/11 5:30 PM, takethe...@gmx.de wrote: in which cases should I revoke a key in general? Whenever you feel the private key has been compromised. Unfortunately, that just switches the question to when should I consider a key compromised? Let's say I have my private key on an USB stick and lose the stick somewhere in public. The key is protected by the mantra. I'm sure, nobody knows the mantra except me. Should I revoke the key or could I keep on working with a copy of it? Depends on how strong the passphrase is. I've often said that I'm willing to publish my private key in the _New York Times_, if someone is willing to pay for it. With a strong passphrase, someone getting access to your private key is not a big deal so long as you can guarantee they will never get access to your passphrase. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
That's really up to you, how much you value security or not. It depends on many factors, like what the key was used for; ie, if this was the Ubuntu software PGP key, you should revoke it as others are depending on it to be secure. If you used it for just signing a few files here and there, it's probably fine. In general, once you've lost confidence in the security of the key, you should revoke it. I personally only take around subkeys that expire every six months, so even if I lose that key, soon enough it won't matter. David Manouchehri On Sun, Oct 9, 2011 at 5:30 PM, takethe...@gmx.de wrote: Hi everybody, in which cases should I revoke a key in general? Let's say I have my private key on an USB stick and lose the stick somewhere in public. The key is protected by the mantra. I'm sure, nobody knows the mantra except me. Should I revoke the key or could I keep on working with a copy of it? I'm grateful for your answers. Thanks, Jan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users