Here is a question to the Crypto experts (which I’m not).
From a security point of view, is it ok if I publish both Public and Private PGP Keys but keep the PassPhrase secret?
My assumption is that: “as long as the PassPhrase is strong enough, it would be not practical to brute force it (even if the attacker knows the Private Key)”. In fact, should the question be: “How big does the PassPhrase be in 2010/2011 time frame for it to be secure?”
To see this in practice check out the latest script/tool that I just added to the OWASP O2 Platform which dramatically simplifies the process of using PGP (creating keys, encrypting/decrypting text and encrypting/decrypting files):
- blog post: http://diniscruz.blogspot.com/2010/10/tool-using-openpgp-to-encrypt-or.html
- Wiki page http://www.o2platform.com/wiki/O2_Script/Tool_-_Using_OpenPgp_to_Encrypt_or_Decrypt.h2
- YouTube Video http://www.youtube.com/watch?v=_Cd8AfZyWMs
As you can see, this O2 tool will really enable this workflow (sending the both Public and Private Keys to the client in a non-encrypted zip and then sending the PassPhrase in an offline/out-of-band method), so I’m really trying to figure out if this is a good idea 🙂
Finally, for the really hard-core crypto guys, can you take a look at how I implemented the BouncyCastle Crypto APIs to make sure I did it correctly: http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs