❦ 30 juillet 2018 20:55 +0200, Willy Tarreau <[email protected]> :
> What I don't like with PGP on an exposed machine is that it reduces the
> size of your 4096-bit key to the size of your passphrase (which most
> often contains much less than the ~700 characters it would need to be
> as large), and also increases your ability to get fooled into entering
> it. Some would call me paranoid, but I don't think I am, I'm just trying
> to keep a balanced level of security, knowing that the global one is not
> better than the weakest point.
Attacks on asymmetric ciphers do not rely on bruteforce: you don't have
to explore the whole keyspace to guess the private key. You can use
algorithms like the general number field sieve. A 4096-bit RSA keypair
would be roughly equivalent to a symmetric algorithm using a 160-bit key
(unless we find better algorithms to break RSA). A 32-character
passphrase would be enough to protect the private key. Moreover, if you
use a weaker passphrase, you have not lost yet as the string to key
function used to turn the passphrase into an AES key is slow. I don't
know where the limit is, but the idea is that with a shorter passphrase,
the attacker may still have a better time finding the AES key instead of
the passphrase.
But if someone can steal your encrypted key from your machine, they may
also be able to steal the unencrypted one through various means. So, you
may still be right about being paranoid. :)
--
The man who sets out to carry a cat by its tail learns something that
will always be useful and which never will grow dim or doubtful.
-- Mark Twain
