Anonymous
2015-05-22 03:42:35 UTC
I have a really good pass phrase, one that is probably not
vulnerable to dictionary attacks, and long enough that a brute
force attack would take longer than anyone will ever live.
My understanding is that if I use my gpg public key encryption to
encrypt a message the actual message is encrypted with symmetric
encryption, most usually AES256 these days, and that symmetrically
encrypted message is encrypted using a session key that is
generated by gpg on the fly.
That session key is a 64 character hex number, so a 256-bit key.
And that session key is the only thing that my big, tough pass
phrase is being used by RSA to encrypt.
My pass phrase is a LOT stronger than 256-bits.
How vulnerable is that 256-bit session key?
My original question here was, "Should I just use symmetric
encryption where I can? That will use whatever seriously large key
I can come up with, which is going to be more difficult to crack
than a 256-bit key."
But I did a gpg2 --show-session-key [symmetrically encrypted file
name] and gpg2 showed me a session key! It was another 256-bit key.
I am now wondering if there is anything that's secure. Would a
nation-state adversary be able to generate a rainbow table of those
256-bit keys? Would they be likely to crack the session key of an
encrypted message, whether public key or symmetric, if they really
put their resources against it?
I am assuming that once they've gotten the session key
knowledgeable people could just decrypt the message or file. Is
there really any sense in using a seriously strong pass phrase,
even with symmetric encryption?
Signed - Stoopid_newbie
vulnerable to dictionary attacks, and long enough that a brute
force attack would take longer than anyone will ever live.
My understanding is that if I use my gpg public key encryption to
encrypt a message the actual message is encrypted with symmetric
encryption, most usually AES256 these days, and that symmetrically
encrypted message is encrypted using a session key that is
generated by gpg on the fly.
That session key is a 64 character hex number, so a 256-bit key.
And that session key is the only thing that my big, tough pass
phrase is being used by RSA to encrypt.
My pass phrase is a LOT stronger than 256-bits.
How vulnerable is that 256-bit session key?
My original question here was, "Should I just use symmetric
encryption where I can? That will use whatever seriously large key
I can come up with, which is going to be more difficult to crack
than a 256-bit key."
But I did a gpg2 --show-session-key [symmetrically encrypted file
name] and gpg2 showed me a session key! It was another 256-bit key.
I am now wondering if there is anything that's secure. Would a
nation-state adversary be able to generate a rainbow table of those
256-bit keys? Would they be likely to crack the session key of an
encrypted message, whether public key or symmetric, if they really
put their resources against it?
I am assuming that once they've gotten the session key
knowledgeable people could just decrypt the message or file. Is
there really any sense in using a seriously strong pass phrase,
even with symmetric encryption?
Signed - Stoopid_newbie