Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.security.pgp.discuss > #73
| From | Bohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca> |
|---|---|
| Newsgroups | comp.security.pgp.discuss |
| Subject | Re: GPG Question on Symmetric Key Input |
| Date | 2011-06-30 00:32 -0600 |
| Organization | BrewJay's Babble Bin |
| Message-ID | <972jl9F6hdU1@mid.individual.net> (permalink) |
| References | <cf00d484-2c54-4210-8fae-2d790f6b5a43@gu8g2000vbb.googlegroups.com> <94684jF3lbU1@mid.individual.net> <8415d78c-6208-463a-826a-a5ed707ebd87@n10g2000yqf.googlegroups.com> <96gel5F70vU1@mid.individual.net> <c4033f9f-f9dc-488b-a216-726e822a2047@q17g2000vby.googlegroups.com> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2011-06-27 9:07 PM, Globemaker wrote: > On Jun 23, 5:17 am, Bohgosity BumaskiL > <brewh...@freenet.edmonton.ab.ca> wrote: > GPG and PGP use a hash on the symmetric key you enter, > > because the hash contains more entropy: It is > always 128 bits of enhanced randomness, so the > best reason for hashing your keystrokes is because > people are not always very creative with their > pass-phrases. Phil Zimmerman coined that term, > because even after he did the work of hashing > pass-phrases, he wasn't convinced that people > would always come up with sixteen letterz for > their security, AND it was hard to prove that > hashing a key was effective against short or > sloppy symmetric keys. > > I imajin that you want to use a key with all > zeros to test the symmetric encryption method. > Well...your final analysis should include the > effect of hashing your zeros. > _______ > http://ecn.ab.ca/~brewhaha/BrewJay's Babble Bin > Thank you for mentioning the hash step. My > conclusion is that the > hashed password value is not accessible to > me or any user from the > menus. > If the symmetric key is a hashed password, > it is no better than > a password. The hash is easy to duplicate. > Bad passwords : 123456, > password, secret, etc. always hash into the > same symmetric key. 1. Hash words, in the same manner az PGP, like "secret". 2. If your hash matches the symmetric key, then you've cracked it. 3. Code is probably out there to apply "crack" to PGP. Symmetric cryptography is never stronger than a user's pass-phrase. Few people use symmetric cryptography: gpg -c That is why it was hard for Zimmerman to prove that hashing a symmetric key was an improvement. I see nothing that anyone can do about weak pass-phrases, other than making a computer demand a strong one, or at least rate strength. Symmetric cryptography is never stronger than a pass-phrase. OTOH, if we talk about public key crypto, an attacker haz to get both a private key, and a pass-phrase. In that case, a symmetric key will be extremely random, and it will be encrypted with a public key. > GPG > seems to prevent users from seeing the symmetric > key or setting the key. Only passwords are used to > hash to set the key. This is weak > crypto. It is compromised. Correct me if there > is a way to input a 128 > bit key directly into GPG AES. I believe there > is no menu item to > define a 128 bit key for symmetric ciphers. That > is bad quality > crypto. It is weak so it can be broken easily > by NSA, etc. But it is > strong enough to fool my little sister or script > kiddies. (remind me to find something to re-format quoted text before enigmail signs it) I do not see how using clear pass-phrases can be any stronger than hashed pass-phrases. What you are saying haz nothing to do with weak crypto: More entropy is in keys being used to encrypt a message. If you could enter a pass-phrase without a hash, then you could still apply crack to it. It would run twice az long, because it would hav to test against both hashed and unhashed pass-phrases. In the end, I see no compelling reason to enable unhashed pass-phrases in symmetric crypto. _______ A soldier who survived mustard gas and pepper spray is now a seasoned veteran. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBTgwYgR47apzXdID2AQIb+AP+MdmSoY0tx/pHHZriUKgKAdXrKZFyQGOH srnzcu4Xj/1Wqw9ws/m9BWPh80Sxxt0d4+cNVp4DTReGjF6m6dPDB6h3BuYM13Rh 6Khh0RWRVjEZJeGswtYFs2bnVBpgA05HAdyXu4Tr0BlBYRiPU1hftTrXZO0BXyZ1 4OO7n7vsJ8E= =kX/J -----END PGP SIGNATURE-----
Back to comp.security.pgp.discuss | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-05-26 00:52 -0500
Re: GPG Question on Symmetric Key Input Globemaker <alanfolmsbee@cabanova.com> - 2011-05-26 05:01 -0700
Re: GPG Question on Symmetric Key Input Bohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca> - 2011-06-23 03:17 -0600
Re: GPG Question on Symmetric Key Input Globemaker <alanfolmsbee@cabanova.com> - 2011-06-27 20:07 -0700
Re: GPG Question on Symmetric Key Input "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2011-06-28 03:11 -0400
Re: GPG Question on Symmetric Key Input Fritz Wuehler <fritz@spamexpire-201106.rodent.frell.theremailer.net> - 2011-06-29 12:47 +0200
Re: GPG Question on Symmetric Key Input Globemaker <alanfolmsbee@cabanova.com> - 2011-08-19 04:36 -0700
Re: GPG Question on Symmetric Key Input Otto Sykora <bggbflxben@tzk.pu> - 2011-08-28 13:22 +0200
Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-08-31 12:48 -0500
Re: GPG Question on Symmetric Key Input "Thor Kottelin" <thor@anta.net> - 2011-09-01 00:18 +0300
Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-09-01 13:29 -0500
Re: GPG Question on Symmetric Key Input Bohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca> - 2011-06-30 00:32 -0600
Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-07-09 02:41 -0500
csiph-web