Best way to deal with chance of lost private key on Handheld?

Best way to deal with chance of lost private key on Handheld?

Post by Chip » Wed, 23 Jul 2003 07:45:50



What is the best way to deal with the potential for theft/loss of a palmtop
containing a private PGP key? For example, I am considering creating a
separate key pair for use on my Palm. However, it is kind of a pain to deal
with two separate keys since I like to access my data on both my Palm and my
PC. I know I can keep a copy of the key on both devices but am curious if
there is some better alternative that might not require the use of two
separate private keys while still maintaining the usefulness of the PGP
systems and without requiring the creation of a new private key if the Palm
is stolen/lost with the private key onboard.

I am considering adding PGP to my Palm but am concerned about the potential
loss of the my private key.

Thanks!
Chip

 
 
 

Best way to deal with chance of lost private key on Handheld?

Post by Gamma300 » Wed, 23 Jul 2003 16:11:20



Quote:> What is the best way to deal with the potential for theft/loss of a
palmtop
> containing a private PGP key? For example, I am considering creating a
> separate key pair for use on my Palm. However, it is kind of a pain to
deal
> with two separate keys since I like to access my data on both my Palm and
my
> PC. I know I can keep a copy of the key on both devices but am curious if
> there is some better alternative that might not require the use of two
> separate private keys while still maintaining the usefulness of the PGP
> systems and without requiring the creation of a new private key if the
Palm
> is stolen/lost with the private key onboard.

> I am considering adding PGP to my Palm but am concerned about the
potential
> loss of the my private key.

> Thanks!
> Chip

Use a very secure password. Then even if someone steals your palmtop,
security isn't damaged. Do a google search for 'diceware'. A 10 word
diceware passphrase, without any fancy capitalisation/extra symbols, etc.,
is better than the 128 bit encryption for most of the symmetric encryption,
and is equivalent to being more secure than a 2048 bit private/public DH/DSS
keypair. And it's dead easy to remember. (Well, relatively)

 
 
 

Best way to deal with chance of lost private key on Handheld?

Post by Mikey » Wed, 23 Jul 2003 22:15:55


A *very* good passphrase for the key would be enough - something along the
lines of 30 random-ish characters, and make sure when you generate that the
key's symmetric cipher is one you trust. Another way is to have the key
encrypted to another key on a removable medium, like a key usb drive, with a
backup on the home computer. I don't know what palm supports, but your
equivalent of a floppy disk. That way someone has to steal both the palm and
the separate drive to get anything useful. Or just have your key directly on
a key drive, but then if that gets stolen you're in the same position.
Ultimately though, a good passphrase makes the key as secure as your emails,
and probably safe imo.

Quote:> What is the best way to deal with the potential for theft/loss of a
palmtop
> containing a private PGP key? For example, I am considering creating a
> separate key pair for use on my Palm. However, it is kind of a pain to
deal
> with two separate keys since I like to access my data on both my Palm and
my
> PC. I know I can keep a copy of the key on both devices but am curious if
> there is some better alternative that might not require the use of two
> separate private keys while still maintaining the usefulness of the PGP
> systems and without requiring the creation of a new private key if the
Palm
> is stolen/lost with the private key onboard.

> I am considering adding PGP to my Palm but am concerned about the
potential
> loss of the my private key.

> Thanks!
> Chip

 
 
 

Best way to deal with chance of lost private key on Handheld?

Post by Jason Ti » Thu, 24 Jul 2003 02:29:35


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Get whatever removable storage media palm supports and
attach one to your car keys or something.

Share split the key so there are 3 parts and you need any
two to get the key.

Keep one part on the palm, one on the storage media and one
on the desktop.
That way you can use 1 key for everyting (no seperate pair)
but if any one thing is stolen you can still get to your
key and the theif cannot.

This and a secure (and preferably different) passphrase on
each part of the share split key will make the key secure
enough for you (assuming you don't encrypt top secret
intelegence reports for a major government)

| What is the best way to deal with the potential for
| theft/loss of a palmtop containing a private PGP key? For
| example, I am considering creating a separate key pair
| for use on my Palm. However, it is kind of a pain to deal
| with two separate keys since I like to access my data on
| both my Palm and my PC. I know I can keep a copy of the
| key on both devices but am curious if there is some
| better alternative that might not require the use of two
| separate private keys while still maintaining the
| usefulness of the PGP systems and without requiring the
| creation of a new private key if the Palm is stolen/lost
| with the private key onboard.
|
| I am considering adding PGP to my Palm but am concerned
| about the potential loss of the my private key.
|
| Thanks!
| Chip

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: My Key: 6ACE DC2C 4C5A 9911 96F3  DDEB C7EC A953 ADE5 0951

iQIVAwUBPx10cLYahGTApomxAQIuExAAwFIoNIbpyRhnsvIOoK3LtkjH7ub5SgOk
MZ/1rCE2TwQ2VEnsFJA/EiZybmZDD65jQNYzs1ytMfvUFr5fBlCgXDT+RtvYrzBW
RtKvyGpUgZISRFAzwVFSvcB/7yMms8nm7iF1NQoKnHXAZsFAoKsGaDp4rgeI3D2w
w1a1Ojum5F7Y7rUXbwcFFY44wHvUBG9bofbUMHJ0zYZ8xo3wU393IlxGQ4HuPokw
wOIa9su6KIFTjNnkSifZ4T4CSXi8MVFVKfu1kBLc9tq7GXsgEg3hcj1iL9fCsrVa
nG2zYVDXBFct9cyrlIqAUODC5byVxyfaC2BbGeeaqTRe+YXhe8Nrhn7O2TsvDeje
q+C4SBoaLQk9xVeRwmH6rfcxiXEINjJ/xA8Az6jR6PtOxPodaPbc+cYDzLtnD9QX
pj4wxixW0rDQH1m3yjpe33YrCrR7nhj247Hs8y1XazkgTm6ibEhrmuYTVN6V47M3
RN8c/ak+kz2mkGd4EJmrKB9/5+mAwgjptRnOWALNG/OsheIGIB6cSAQHYQmN3/Cb
wCftX7aJLBmMEjZkd1kDzBmRv2bOLqBOlHTmsyk+/VQHVWDdnL/ZEyzQ0KFpJcT4
wwZ+cnMAdTFhfEB8SOVylvUUF7I2HfCp29oJzDjB8E0SttTzeeibInWxPp2R7cdZ
QG/HCaAYrLQ=
=ohR6
-----END PGP SIGNATURE-----

 
 
 

1. In case I lose my private key...

Then I won't be able to revoke it. With GPG and earlier version
of PGP, you can generate a detached revoke cert and back it up.
Is there a similar feature in the GUI version of PGP and to use
it?
    Sorry for my bad English.

--
Zuxy
Beauty is truth,
While truth is beauty.

2. IBM CAD 3/X

3. Lost private key

4. Speech Recognition/Signature Recognition

5. Lost Private key usability

6. HELP: HOOKING INT 21h

7. Private Key Vulnerability / Best practices

8. newbie question :-) Farming and handhelds?

9. **QA Engineers** - Red Herring's Best Private Company with the Best Product for 1998

10. Getting a public key from a private key.

11. Can we use RSA's private key as DES's secret key?

12. Can a private key be calculate back from the public key ?