PGP and dictionary attacks on private secret keyring - PGP

This is a discussion on PGP and dictionary attacks on private secret keyring - PGP ; Hi all I'm studiing the PGP (and GPG) documentation. As known, one of the major (and known, of course) risk is a dictionary attack on a (stolen) private secret keyring. Everywhere is written, that this type of attack is very ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: PGP and dictionary attacks on private secret keyring

  1. PGP and dictionary attacks on private secret keyring

    Hi all

    I'm studiing the PGP (and GPG) documentation. As known, one of the major
    (and known, of course) risk is a dictionary attack on a (stolen) private
    secret keyring. Everywhere is written, that this type of attack is very
    easy to do (is somebody get my keyring) but I can't find any documents
    about this type of attack.

    I have the GPG sources, but this didn't help me. Can anybody send me a
    link to this type of documentation?

    Thanks
    Michal

    --
    Michal Vymazal
    vymazal at secunet dot cz


  2. Re: PGP and dictionary attacks on private secret keyring

    begin quotation
    from Michal Vymazal
    in message
    posted at 2005-08-23T12:09
    > I'm studiing the PGP (and GPG) documentation. As known, one of the major
    > (and known, of course) risk is a dictionary attack on a (stolen) private
    > secret keyring. Everywhere is written, that this type of attack is very
    > easy to do (is somebody get my keyring) but I can't find any documents
    > about this type of attack.


    It's not that easy to do, especially if the iterated and salted S2K
    method is used (section 3.6.1.3 of RFC 2440). If you're dumb enough to
    use just salted S2K or even simple S2K, then you deserve what you get
    (and don't even get me started about unprotected secret keys).

    > I have the GPG sources, but this didn't help me. Can anybody send me a
    > link to this type of documentation?


    Sounds to me like you don't know what a dictionary attack is, so start
    here:

    --
    ___ _ _____ |*|
    / __| |/ / _ \ |*| Shawn K. Quinn
    \__ \ ' < (_) | |*| skquinn@speakeasy.net
    |___/_|\_\__\_\ |*| Houston, TX, USA

  3. Re: PGP and dictionary attacks on private secret keyring

    Shawn K. Quinn napsal(a):
    > begin quotation
    > from Michal Vymazal
    > in message
    > posted at 2005-08-23T12:09
    >
    >>I'm studiing the PGP (and GPG) documentation. As known, one of the major
    >>(and known, of course) risk is a dictionary attack on a (stolen) private
    >>secret keyring. Everywhere is written, that this type of attack is very
    >>easy to do (is somebody get my keyring) but I can't find any documents
    >>about this type of attack.

    >
    >
    > It's not that easy to do, especially if the iterated and salted S2K
    > method is used (section 3.6.1.3 of RFC 2440). If you're dumb enough to
    > use just salted S2K or even simple S2K, then you deserve what you get
    > (and don't even get me started about unprotected secret keys).

    Yes, I read it. Thanks for explanation.
    >
    >
    >>I have the GPG sources, but this didn't help me. Can anybody send me a
    >>link to this type of documentation?

    >
    >
    > Sounds to me like you don't know what a dictionary attack is, so start
    > here:
    >

    Misunderstanding :-) I'm loooking for some implementation of this
    attack. I'm using GPG, but I need to know the possibility of an attacker
    in case of an stolen keyring. What I need is to know, how much time I
    will have to make changes (revocate key, generate a new key, logistic
    changes). And for this reason i need to reconstruct the consecution of
    the attacker.

    --
    Michal Vymazal
    vymazal at secunet tecka cz


  4. Re: PGP and dictionary attacks on private secret keyring

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Yeah basically don't let someone get ahold of your secret key, lol.

    Or have a really good password.

    Anything suceptible to dictionary attack deserves to get cracked in the
    first place, lol.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (MingW32)

    iD8DBQFESEG2b/8X6V5MpAURAmPUAJ9y01aC2CnbVkp0WcZV2XL3Hi7sJACgoMGy
    WoWS24iSBFFe71G3vv+qzcE=
    =XrhG
    -----END PGP SIGNATURE-----

  5. Re: PGP and dictionary attacks on private secret keyring

    On Thu, 20 Apr 2006 22:21:42 -0400, Matt Westfall
    wrote:


    >
    >Yeah basically don't let someone get ahold of your secret key, lol.
    >
    >Or have a really good password.
    >
    >Anything suceptible to dictionary attack deserves to get cracked in the
    >first place, lol.



    Okay, what the heck is a dictionary attack? Suppose my password is
    "droptrashcanterminateacidradiohotel" Can a dictionary attack crack this
    password? If so, how does it work?

+ Reply to Thread