[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GPG Config File
From: |
Max Mustermann |
Subject: |
Re: GPG Config File |
Date: |
Wed, 11 Aug 2004 23:52:40 +0200 |
On Wed, 11 Aug 2004, Martin Dickopp <expires-2004-09-30@zero-based.org>
wrote:
>"Scott Johnson" <s.s@s.com> writes:
>
>> Can I stick the passphase in the gnupg.conf file?
>
>No, that would obviously be completely insecure. If you want to do
>that, why do you use cryptography in the first place? What are you
>trying to achieve?
Just a thought, but while in the military I used hardware based encryption
that required no human intervention at all. We generally secured such
systems with large caliber handguns. ;) I think you can probably realize
there's many real life variations on this theme.
If a PC is physically secure, there's less need for procedural security. Of
course for the vast majority, having pass phrases entered automatically is
a bad thing. A potentially severe breach just begging to happen.
>If you are sure you understand the implications, you can generate
>a key with an empty passphrase.
I see two problems with this:
1. I don't believe it automates the process. I believe you still have to
enter this "null" pass phrase by hitting the ENTER key. And I assume the
OP's goal was avoiding this.
2. I'd also assume that an intelligent attacker would have a "null" pass
phrase as one of the entries in a "dictionary" file, and/or it would be one
of the first things they'd try. In this respect, a "null" pass phrase is
considerably less secure than having a proper pass phrase entered
automatically.
Thoughts? Corrections?