Tuesday, January 13, 2015

How many bits of entropy will stop a targeted attack?

Over at security.stackexchange there is currently the following question:
The OpenPGP (private) key format stores the key symmetrically encrypted ... key expansion takes about a second on my computer (GPG).
With this kind of setup, is it possible to make it hard enough to brute-force that it's sane to have the private-key publicly available?
I expect the answer depends on the passphrase complexity. E.g. if you somehow managed to have a passphrase with 256 bits of entropy, then an attacker would be better off just guessing the derived key instead of the passphrase - which in this case amounts to brute-forcing an AES key (which I'd consider hard enough to be "safe"). So the question might really be "how complex does your passphrase have to be to make this safe?".
I touched on this thought in my comment over there, but would like to muse on the question a bit more.

His is talking about having his encrypted private key publicly exposed, most likely in a way that it is associated back to one of his accounts. Unless he plans on never actually using the key pair, there will be exploitable benefits to someone malicious to have the private key. Forge messages, open messages sent to him, possibly open messages sent from him. Also, just the thrill of winning may drive folks to attempt this challenge.

Folks, don't issue challenges like this. Remember Todd Davis, the LifeLock CEO that put his Social Security Number in the ads because of how confident he was in his product? He has been identified as an identity thief victim 13 times. And that is with his entire companies' mission and reputation on the line (a reputation that the federal government viewed as $12 million dollars tarnished!). Don't do it!

Once the challenge is issued, it isn't just a question of can the password be cracked. It now becomes a question of can he be hacked. Well crafted, personalized malicious emails (spear phishing) being sent to him, possibly even coming from his compromised friends. When you are a target, anyone connected to you may become a target. As a target, a large amount of personal information can typically be gathered including address, phone number, family members and more. Unfortunately this activity, doxxing, is fairly common as a type of online harassment. Challenged enough what can someone do with all this information?
Not a *likely* outcome. Source: XKCD
If a hacker gains control of your computer, they can place software to harvest your sensitive data: passwords, pseudonyms, possibly financial information.

Please, don't intentionally make yourself a target. (Says the guy that ran for Congress in 2014)

No comments:

Post a Comment