Second passphrase feature request
NIIBE Yutaka
gniibe at fsij.org
Fri Oct 27 08:03:38 CEST 2023
Hello,
I will read your suggestion later. For now, let me reply to a question.
gnupg.org at terminada.io wrote:
> However, as Gnuk is currently implemented, if the key was copied from
> the device still in it's encrypted state, is it possible to know when
> the data is successfully decrypted by applying AES decryption with
> guessed PINs? IE: Can you know when successfully decrypted because you
> see a specific header byte sequence?
Let me explain.
Terms:
KDF: Key Derivation Function
KEK: Key Encoding Key
DEK: Data Encoding Key
AEAD: Authenticated Encryption
Here is a figure:
Passphrase --[KDF on your computer + on the device]--> KEK
KEK --> [AES decryption] --> DEK
^
Encrypted |
key -----/
DEK --> [AEAD decryption] --> private key material
^
Encrypted |
private key --/
with
authentication tag
(stored in the flash memory of the device)
With AEAD, it determines that the decrypted data has correct or not.
In the situation where the all data is extracted from MCU (somehow),
brute force attack with guessed DEK (or KEK) is possible, and brute
force attack with guessed passphrase is possible, too.
With Gnuk, computation of KEK is done togerther with the host computer
and the device (when configured correctly).
KDF on the device side uses (32-bit from 96-bit) unique ID of MCU.
When the host computer is cracked, passphrase might be known. In this
case, private key material may be aquired using the passphrase, and
the information (or guessing) of unique ID.
When the USB communication is tapped and monitored, partially computed
KEK might be known. In this case, private key material may be aquired
by a bit of brute force attack with partially computed KEK, and the
information (or guessing) of unique ID.
--
More information about the Gnuk-users
mailing list