Hi Vincent, On Mon, Jul 30, 2018 at 11:16:39PM +0200, Vincent Bernat wrote: > ? 30 juillet 2018 20:55 +0200, Willy Tarreau <w...@1wt.eu> : > > > What I don't like with PGP on an exposed machine is that it reduces the > > size of your 4096-bit key to the size of your passphrase (which most > > often contains much less than the ~700 characters it would need to be > > as large), and also increases your ability to get fooled into entering > > it. Some would call me paranoid, but I don't think I am, I'm just trying > > to keep a balanced level of security, knowing that the global one is not > > better than the weakest point. > > Attacks on asymmetric ciphers do not rely on bruteforce: you don't have > to explore the whole keyspace to guess the private key. You can use > algorithms like the general number field sieve. A 4096-bit RSA keypair > would be roughly equivalent to a symmetric algorithm using a 160-bit key > (unless we find better algorithms to break RSA).
I thought RSA4096 was equivalent to more than this, I'm disappointed :-) > A 32-character > passphrase would be enough to protect the private key. Moreover, if you > use a weaker passphrase, you have not lost yet as the string to key > function used to turn the passphrase into an AES key is slow. I don't > know where the limit is, but the idea is that with a shorter passphrase, > the attacker may still have a better time finding the AES key instead of > the passphrase. I see, the same principle as system passwords using many rounds to slow down brute force attacks. With this said, when you see the amount of power that some ASICs, FPGAs and GPUs have developed over the years due to the mining activities, often counting in gigahashes/s, I suspect you'll need many rounds to be safe :-/ > But if someone can steal your encrypted key from your machine, they may > also be able to steal the unencrypted one through various means. So, you > may still be right about being paranoid. :) Yes, that's still the point. After all, when you have access to a user- owned file, you also have access to this user's processes. It's not very complicated to run "while ! strace -o foo.log -p $(pgrep gpg); do sleep 0.1;done", it remains very discrete and will easily reveal the passphrase. Thanks for the detailed explanation! Willy
