# simple, secret, algorithm implications when communicating with yourself?

*From*: Tim Smith <reply_in_group@xxxxxxxxxxxxxxxx>*Date*: Thu, 08 Jun 2006 07:42:15 -0000

OK, I understand why it is bad, if Alice and Bob want to communicate, to

depend on keeping their algorithms secret in order to maintain security.

But how about where Alice is only talking to herself? Here's the situation.

Alice has an important file, encrypted with her gpg public key. She has a

good pass phrase protecting her private key: it's got lower case and upper

case letters, digits, punctuation, and is long enough to be safe from brute

force. She's firmly memorized it, but wants some way to recover if,

somehow, she happens to forget it.

Let's call this pass phrase KEY1.

So, suppose Alice were to do this. She logs in on her Linux box. She opens

her favorite editor, and enters this:

sha1sum |

sha1sum |

sha1sum |

sha1sum |

...

sha1sum

where there are 1960 lines (she was born in 1960).

She saves this to a temp file, foo. Then she types this in bash:

. foo

and types "secret", presses ENTER, and hits control-D. The output is this:

9f6b3b0aa66541e567f5273d877e7ba0c7684d04 -

Basically, her little script has taken her input, computed SHA1, output it

in a text format, computed SHA1 of that, and so on, 100 times.

Now she takes that 9f6b3b0aa66541e567f5273d877e7ba0c7684d04 and uses it as

a key to encrypt KEY1.

She then deletes foo (using a secure delete if she's using a filesystem that

supports it).

Her intent is to never need to decrypt that encrypted copy of KEY1. The

only time she will do that is if she manages to forget KEY1, then she will

fire up her text editor, type in her iterative sha1 script, run it to get

the key to decrypt KEY1, decrypt KEY1, and re-memorize it.

So, although she has picked a simple algorithm, and is keying it with a weak

key (the word "secret" and her birthyear), it seems reasonable that she CAN

keep the simple algorithm secret (assuming she really only uses it on those

very rare occasions when she forgets KEY1). Essentially, the algorithm is

part of the key here. I have no idea what the effective key size of this

is, but my guess is that it is pretty large.

Is security through obscurity actually OK in this situation?

--

--Tim Smith

.

**Follow-Ups**:**Re: simple, secret, algorithm implications when communicating with yourself?***From:*Kevin Buhr

**Re: simple, secret, algorithm implications when communicating with yourself?***From:*Douglas A. Gwyn

**Re: simple, secret, algorithm implications when communicating with yourself?***From:*Volker Hetzer

**Re: simple, secret, algorithm implications when communicating with yourself?***From:*Sebastian Gottschalk

**Re: simple, secret, algorithm implications when communicating with yourself?***From:*TC

- Prev by Date:
**Re: RSA signing security** - Next by Date:
**Re: simple, secret, algorithm implications when communicating with yourself?** - Previous by thread:
**RSA signing security** - Next by thread:
**Re: simple, secret, algorithm implications when communicating with yourself?** - Index(es):