Is it ok to share the PGP Keys and keep the PassPhrase private?

Here is a question to the Crypto experts (which I’m not).

From a security point of view, is it ok if I publish both Public and Private PGP Keys but keep the PassPhrase secret?

My assumption is that: “as long as the PassPhrase is strong enough, it would be not practical to brute force it (even if the attacker knows the Private Key)”. In fact, should the question be: “How big does the PassPhrase be in 2010/2011 time frame for it to be secure?”

To see this in practice check out the latest script/tool that I just added to the OWASP O2 Platform which dramatically simplifies the process of using PGP (creating keys, encrypting/decrypting text and encrypting/decrypting files):

As you can see, this O2 tool will really enable this workflow (sending the both Public and Private Keys to the client in a non-encrypted zip and then sending the PassPhrase in an offline/out-of-band method), so I’m really trying to figure out if this is a good idea 🙂
Finally, for the really hard-core crypto guys, can you take a look at how I implemented the BouncyCastle Crypto APIs to make sure I did it correctly: http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/OpenPgp/API_OpenPgp.cs

Thanks

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

The OWASP O2 Platform knows your physical location! …and… “phishing for MACs”

Hi SecuriTeam crowd. After much soft-presure from Brian, I’m finally putting my ‘SecuriTeam Blogger Hat’ and hopefully this will be the first of many WebAppSec and O2 Platform related posts.

For my first post I chose the lastest script that I just added to the OWASP O2 Platform (http://o2platform) which is called “Tool – Find Physical Location via MAC Address (using Google’s APIs).h2” and does exactly that. It will show your current location using your current wireless router’s MAC address (or the location of a provided MAC address)

This is based on the research done by Samy’s on his “How I meet your Girlfriend” presentation (currently on an OWASP EU Tour presenting it) and it is a good example of the O2 Platform’s powerful dynamic scripting environment (I wrote that PoC in a couple hours)

For more details on how this works see

I think that the fact that Google exposes this information is a big deal, and I personally (as a consumer with exposed data) am not happy at all with it. But my personal feelings don’t really matter here, the question I think we should try to answer is: ‘How big is this problem?’

Basically, since MAC addresses are now a valuable asset, let’s go “Phishing for MACs” and figure out all the ways we can calculate/map/find them.

On the O2 script above I used “arp -a” to get the local wireless router, Samy used an XSS on the router, so what other ways there are to find router’s MAC address?

I wonder if we can Brute Force Google’s Location Services database and get a maping of ALL “MAC addresses+Locations” that they have currently stored 🙂

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.