Frequently Asked Questions

How is the private key protected?

The private key is only stored in encrypted form, using PGP symmetrical encryption (1).
The user-password is converted to a AES-256 key using OpenPGP's Iterated and Salted S2K (2), the iteration code is set to 192, which equals to approx. 4 MB of data to hash (password+salt iterated), for a single password. This makes the password very slow to bruteforce(3). All decryption is done on the users own computer, the password is never sent to our server.

(1) Read more about OpenPGP symmetrical encryption here:
https://tools.ietf.org/html/rfc4880#section-5.7
https://tools.ietf.org/html/rfc4880#section-3.7.2.1

(2) Read more about OpenPGP S2K here:
https://tools.ietf.org/html/rfc4880#section-3.7.1.3

(3) Example calculation for a bruteforce attack against our users private keys
An Intel Core-i7 CPU @ 3.2 GHZ can test approx 30 passwords per CPU-core, per second.

Example, if you have a 10-letter password using a charset of 62 (a-z, A-Z, 0-9), it will take more than 400 years to bruteforce, using a super-computer with one million i7 CPU-cores, with the above values.
62^10 / (30000000*60*60*24*365) = 887 years (whole keyspace), and 443.5 years for half the keyspace.

Another calculation: for a 12-letter password using a charset of 62 (a-z, A-Z, 0-9) with the same super-computer attacking 24/7, every day of the year:

62^12 / (30000000*60*60*24*365) = 3.4 million years (whole keyspace), and 1.7 million years for half the keyspace.

What if the super computer is using GPU:s, instead of CPU:s?

Even if someone have a special built super GPU-cluster, it will only make things approx. 20 - 50 times faster. Let's say a 50 times faster attacking cluster: 10-letter password = 62^10 / (50*30000000*60*60*24*365) = 17.7 years,  for half the keyspace  8.8 years, 12-letter password = 62^12 / (50*30000000*60*60*24*365) = 68202 years, or half the keyspace 34101 years

Running a super computer cluster is expensive, we have never heard of any attack that lasted more than a couple of years.
All calculations above assumes that the password consists of a combination of random letters &  numbers. If you use many words, you need a longer password than 10 letters.


Read below how to create strong memorable passwords:
https://support.countermail.com/kb/faq.php?id=191

Keywords: private key protect select password strong password create password passphrase keyfile two factor authentication privatekey


 Last updated Fri, Mar 15 2013 00:00

Please Wait!

Please wait... it will take a second!