Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.security.pgp.discuss > #73

Re: GPG Question on Symmetric Key Input

From Bohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca>
Newsgroups comp.security.pgp.discuss
Subject Re: GPG Question on Symmetric Key Input
Date 2011-06-30 00:32 -0600
Organization BrewJay's Babble Bin
Message-ID <972jl9F6hdU1@mid.individual.net> (permalink)
References <cf00d484-2c54-4210-8fae-2d790f6b5a43@gu8g2000vbb.googlegroups.com> <94684jF3lbU1@mid.individual.net> <8415d78c-6208-463a-826a-a5ed707ebd87@n10g2000yqf.googlegroups.com> <96gel5F70vU1@mid.individual.net> <c4033f9f-f9dc-488b-a216-726e822a2047@q17g2000vby.googlegroups.com>

Show all headers | View raw


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
On 2011-06-27 9:07 PM, Globemaker wrote:
> On Jun 23, 5:17 am, Bohgosity
BumaskiL

> <brewh...@freenet.edmonton.ab.ca> wrote:
> GPG and PGP use a hash on the symmetric key you enter,
>
> because the hash contains more entropy: It is
> always 128 bits of enhanced randomness, so the
> best reason for hashing your keystrokes is because
> people are not always very creative with their
> pass-phrases. Phil Zimmerman coined that term,
> because even after he did the work of hashing
> pass-phrases, he wasn't convinced that people
> would always come up with sixteen letterz for
> their security, AND it was hard to prove that
> hashing a key was effective against short or
> sloppy symmetric keys.
>
> I imajin that you want to use a key with all
> zeros to test the symmetric encryption method.
> Well...your final analysis should include the
> effect of hashing your zeros.
> _______
> http://ecn.ab.ca/~brewhaha/BrewJay's Babble Bin

> Thank you for mentioning the
hash step. My
> conclusion is that the
> hashed password value is not
accessible to
> me or any user from the

> menus.

> If the symmetric key is a
hashed password,
> it is no better than

> a password. The hash is easy to duplicate.
> Bad passwords : 123456,

> password, secret, etc. always hash into the
> same symmetric key.

1. Hash words, in the same manner az PGP, like
   "secret".
2. If your hash matches the symmetric key, then
   you've cracked it.
3. Code is probably out there to apply "crack"
   to PGP.

Symmetric cryptography is never stronger than a
user's pass-phrase. Few people use symmetric
cryptography: gpg -c
That is why it was hard for Zimmerman to prove
that hashing a symmetric key was an improvement.
I see nothing that anyone can do about weak
pass-phrases, other than making a computer
demand a strong one, or at least rate strength.
Symmetric cryptography is never stronger than a
pass-phrase.

OTOH, if we talk about public key crypto, an
attacker haz to get both a private key, and a
pass-phrase. In that case, a symmetric key will
be extremely random, and it will be encrypted
with a public key.

> GPG

> seems to prevent users from seeing the symmetric
> key or setting the key. Only
passwords are used to

> hash to set the key. This is
weak

> crypto. It is compromised. Correct me if there
> is a way to input a 128

> bit key directly into
GPG AES. I believe there
> is no menu item to

> define a 128 bit key for symmetric ciphers. That
> is bad quality

> crypto. It is weak so it can be broken easily
> by NSA, etc. But it is

> strong enough to fool my little sister or script
> kiddies.

(remind me to find something to re-format quoted
text before enigmail signs it)

I do not see how using clear pass-phrases can be
any stronger than hashed pass-phrases. What you are
saying haz nothing to do with weak crypto: More
entropy is in keys being used to encrypt a message.
If you could enter a pass-phrase without a hash,
then you could still apply crack to it. It would
run twice az long, because it would hav to test
against both hashed and unhashed pass-phrases.

In the end, I see no compelling reason to enable
unhashed pass-phrases in symmetric crypto.
_______
A soldier who survived mustard gas and
pepper spray is now a seasoned veteran.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQCVAwUBTgwYgR47apzXdID2AQIb+AP+MdmSoY0tx/pHHZriUKgKAdXrKZFyQGOH
srnzcu4Xj/1Wqw9ws/m9BWPh80Sxxt0d4+cNVp4DTReGjF6m6dPDB6h3BuYM13Rh
6Khh0RWRVjEZJeGswtYFs2bnVBpgA05HAdyXu4Tr0BlBYRiPU1hftTrXZO0BXyZ1
4OO7n7vsJ8E=
=kX/J
-----END PGP SIGNATURE-----

Back to comp.security.pgp.discuss | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-05-26 00:52 -0500
  Re: GPG Question on Symmetric Key Input Globemaker <alanfolmsbee@cabanova.com> - 2011-05-26 05:01 -0700
    Re: GPG Question on Symmetric Key Input Bohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca> - 2011-06-23 03:17 -0600
      Re: GPG Question on Symmetric Key Input Globemaker <alanfolmsbee@cabanova.com> - 2011-06-27 20:07 -0700
        Re: GPG Question on Symmetric Key Input "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2011-06-28 03:11 -0400
          Re: GPG Question on Symmetric Key Input Fritz Wuehler <fritz@spamexpire-201106.rodent.frell.theremailer.net> - 2011-06-29 12:47 +0200
            Re: GPG Question on Symmetric Key Input Globemaker <alanfolmsbee@cabanova.com> - 2011-08-19 04:36 -0700
              Re: GPG Question on Symmetric Key Input Otto Sykora <bggbflxben@tzk.pu> - 2011-08-28 13:22 +0200
              Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-08-31 12:48 -0500
                Re: GPG Question on Symmetric Key Input "Thor Kottelin" <thor@anta.net> - 2011-09-01 00:18 +0300
                Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-09-01 13:29 -0500
        Re: GPG Question on Symmetric Key Input Bohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca> - 2011-06-30 00:32 -0600
    Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-07-09 02:41 -0500

csiph-web