Is it ok to share the PGP Keys and keep the PassPhrase private?

Here is a question to the Crypto experts (which I’m not).

From a security point of view, is it ok if I publish both Public and Private PGP Keys but keep the PassPhrase secret?

My assumption is that: “as long as the PassPhrase is strong enough, it would be not practical to brute force it (even if the attacker knows the Private Key)”. In fact, should the question be: “How big does the PassPhrase be in 2010/2011 time frame for it to be secure?”

To see this in practice check out the latest script/tool that I just added to the OWASP O2 Platform which dramatically simplifies the process of using PGP (creating keys, encrypting/decrypting text and encrypting/decrypting files):

As you can see, this O2 tool will really enable this workflow (sending the both Public and Private Keys to the client in a non-encrypted zip and then sending the PassPhrase in an offline/out-of-band method), so I’m really trying to figure out if this is a good idea 🙂
Finally, for the really hard-core crypto guys, can you take a look at how I implemented the BouncyCastle Crypto APIs to make sure I did it correctly:


The OWASP O2 Platform knows your physical location! …and… “phishing for MACs”

Hi SecuriTeam crowd. After much soft-presure from Brian, I’m finally putting my ‘SecuriTeam Blogger Hat’ and hopefully this will be the first of many WebAppSec and O2 Platform related posts.

For my first post I chose the lastest script that I just added to the OWASP O2 Platform (http://o2platform) which is called “Tool – Find Physical Location via MAC Address (using Google’s APIs).h2” and does exactly that. It will show your current location using your current wireless router’s MAC address (or the location of a provided MAC address)

This is based on the research done by Samy’s on his “How I meet your Girlfriend” presentation (currently on an OWASP EU Tour presenting it) and it is a good example of the O2 Platform’s powerful dynamic scripting environment (I wrote that PoC in a couple hours)

For more details on how this works see

I think that the fact that Google exposes this information is a big deal, and I personally (as a consumer with exposed data) am not happy at all with it. But my personal feelings don’t really matter here, the question I think we should try to answer is: ‘How big is this problem?’

Basically, since MAC addresses are now a valuable asset, let’s go “Phishing for MACs” and figure out all the ways we can calculate/map/find them.

On the O2 script above I used “arp -a” to get the local wireless router, Samy used an XSS on the router, so what other ways there are to find router’s MAC address?

I wonder if we can Brute Force Google’s Location Services database and get a maping of ALL “MAC addresses+Locations” that they have currently stored 🙂