[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GPG Config File
From: |
Stefan Bellon |
Subject: |
Re: GPG Config File |
Date: |
Thu, 12 Aug 2004 09:36:30 +0200 |
User-agent: |
Pluto/3.03h (RISC-OS/5.05) NewsHound/1.43-32pre3 |
Max Mustermann wrote:
> I see two problems with this:
> 1. I don't believe it automates the process. I believe you still have
> to enter this "null" pass phrase by hitting the ENTER key. And I
> assume the OP's goal was avoiding this.
> 2. I'd also assume that an intelligent attacker would have a "null"
> pass phrase as one of the entries in a "dictionary" file, and/or it
> would be one of the first things they'd try. In this respect, a
> "null" pass phrase is considerably less secure than having a proper
> pass phrase entered automatically.
> Thoughts? Corrections?
Yes, two wrongs:
1. If you specify an empty passphrase with GnuPG then you don't have to
enter it, i.e. GnuPG doesn't ask for the passphrase and you can
automate signing and decryption.
2. If an attacker can get hold of your secret keyring in order to mount
a dictionary attack, then he most likely can get hold of your script
that automates the process. And the password is inside that script.
So, both methods are critical, but using an empty passphrase is not
less secure than putting the passphrase in clear text in a script.
Setting follow-up to alt.security.pgp.
--
Stefan Bellon