Marcus Brinkmann Profile picture
I'm a tempura shrimp and you can't catch me! | ๐Ÿฆ™ ALPACA Attack | ๐Ÿฆ Raccon Attack | ๐Ÿ˜ˆ DEMONS Attack | @lambdafu@mastodon.social
Nov 17, 2021 โ€ข 19 tweets โ€ข 4 min read
Here is all you need toknow about the password security of PGP private keys and PGP symmetric encryption. tl;dr: PGP uses outdated and insecure algorithms. If you have to use it, you must choose a super strong password to protect yourself from brute force attacks. ๐Ÿงต๐Ÿ‘‡ This thread is about password protection of PGP private keys (stored or exported), and about password protected PGP messages ("gpg -c"). It's not about the public key encryption of PGP messages. This is inspired by a news story about somebody sending a private PGP key by email.
Jul 5, 2019 โ€ข 11 tweets โ€ข 4 min read
Recent reports on the #OpenPGP #keyserver certificate poisoning attacks have focused on the SKS keyserver implemented in OCaml, which is basically a replicated, censor-resistant, append-only database for unverified key material. But what about #gnupg's role in the attack? /thread Historically, the PGP tool used the same OpenPGP data structure internally and externally: PGP Keys (public or secret) are a sequence of OpenPGP packets. First there is a signing key packet, then a user id packet, followed by a binding signature, and then web of trust signatures.