Suppose someone had generated a 2.048-Bit RSA GPG/PGP key pair and published the

Question

Suppose someone had generated a 2.048-Bit RSA GPG/PGP key pair and published the public key on the usual key servers. Then he withdraws this key and generates a new one in 4.096-Bit RSA using the same passphrase again.

Theoretically, can the passphrase be cracked by mathematically comparing the two public keys or does that give away any security whatsoever, e.g. by the fact that both of them are out there?

I'm not a mathematician, so I'd be especially interested if 'comparing two keys' would make any theoretical sense at all and if so, what impact this would have on the integrity of the passphrase.

Explanation / Answer

No.

The passphrase you use creates a symmetric key that is used to encrypt the private key. You're not uploading the private key to the server, at least let's hope you aren't.

But even if you are doing that, the password is salted and iterated in hashing, and that means that the visible encrypted private key is radically different even if the password is the same, because the same password produces two different symmetric keys.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.