[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GPG Config File

From: Stefan Bellon
Subject: Re: GPG Config File
Date: Thu, 12 Aug 2004 09:36:30 +0200
User-agent: Pluto/3.03h (RISC-OS/5.05) NewsHound/1.43-32pre3

Max Mustermann wrote:

> I see two problems with this:

> 1. I don't believe it automates the process. I believe you still have
> to enter this "null" pass phrase by hitting the ENTER key. And I
> assume the OP's goal was avoiding this.

> 2. I'd also assume that an intelligent attacker would have a "null"
> pass phrase as one of the entries in a "dictionary" file, and/or it
> would be one of the first things they'd try. In this respect, a
> "null" pass phrase is considerably less secure than having a proper
> pass phrase entered automatically.

> Thoughts? Corrections?

Yes, two wrongs:

1. If you specify an empty passphrase with GnuPG then you don't have to
   enter it, i.e. GnuPG doesn't ask for the passphrase and you can
   automate signing and decryption.

2. If an attacker can get hold of your secret keyring in order to mount
   a dictionary attack, then he most likely can get hold of your script
   that automates the process. And the password is inside that script.
   So, both methods are critical, but using an empty passphrase is not
   less secure than putting the passphrase in clear text in a script.

Setting follow-up to

Stefan Bellon

reply via email to

[Prev in Thread] Current Thread [Next in Thread]