Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] PGP is hard to use and needs stuff installed on your computer. Use PassLok instead.

Michael Rogers michael at briarproject.org
Sat Jul 27 14:05:54 PDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26/07/13 21:42, Francisco Ruiz wrote:
> PassLok performs public-key cryptography using the Diffie-Hellman
> key exchange rather than RSA, so you can use whatever secret key
> you want. Hopefully something that is both very hard to guess and
> easy to remember, so you never have to write it down. PassLok will
> help you to come up with a strong key, but won't force you in any
> way.

Hi Francisco,

It looks like you're generating a Diffie-Hellman key pair from a
passphrase using PBKDF2 with no salt and a single iteration. That's a
bad idea - the resulting key pair will be susceptible to a dictionary
attack by anyone who knows the public key, or a message encrypted with
the public key, or a message signed with the private key. Worse,
because you don't use salt, the dictionary attack can be carried out
in advance by building a rainbow table.

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJR9DYyAAoJEBEET9GfxSfMNzsH/jU6WrzE7Y9jeLTtMBTahhJX
KpzdmHSYp3D457YxLj2WVP4hj0fqf2ygaers3N9O2QRNU69tkv/eZZdbezCGcdWr
FQ/Dg/hp7nMEKZTJEmkzKfxQUQkB7WRWxJsk9Bl15UehctsEPNkEcLT0SA75I8Q+
cWoEyfOF4/+jY+JgAoWi/rsU/G1Frlg/dwqS0MNvGTDLTvAeOPjJqlx+RWTG00kA
5SpoYYJJobxyR9b1GkbvapwaOSviuNGVYG8vNi5mNv/C55OGCWGIBm+L/RItf6Yl
8XNaSY9XJaVC1k6+q1QQTFlav8SzTBfzFLUoFcX+fOWd3gPgPtAjwfLv1moOuDc=
=DJzx
-----END PGP SIGNATURE-----



More information about the liberationtech mailing list