Increasing Public Key Crypto Security with Handhelds

Brian Ristuccia brianr at debian.org
Fri Nov 26 23:48:05 CET 1999 

debian-devel and gnupg-devel folks: This is CC'd to your list because a
similar arrangement with the desktop computer substituted by a remote server
such as master.debian.org, and the handheld substituted by the PC the user
is physically sitting at and perhaps a handheld could facilitate safer
signing of files (such as Debian packages) on untrusted machines. I'm not on
either of these lists, so please Cc: me on any replies.

I just came up with what I think may be a good way to increase the security
of GNU Privacy Guard using a cheap handheld computer like the Palm III or
the Handspring visor. I'm sure this has been proposed before with smartcard
technology or something similar. I'm not a cryptographer, so I'm interested
in hearing your comments.

For the benefit of list-geek folks who might not know already, GNU Privacy
Guard and PGP implement public-key encryption by first encrypting the
message you wish to send with a symetric key and a random symmertic key
called the "session key". Then the session key is encrypted with the public
key belonging to the recipient. When the recipient gets the message. They
decode their encrypted private key using their passphrase. Then they decode
the session key using their private key, and then undo the symmetric
encryption with the session key in order to read the encrypted message.

If your public key and your passphrase get compromised, anyone who has both
can read your encrypted messages. One way to increase security is to store
the private key on a floppy disk or flash card that you keep in a safe
place. If your passphrase is compromised, it's useless without the private
key, which is physically secured. The problem with this is that it's
possible for the key to be stolen by rogue software on the untrusted PC
while the disk is in the drive.

What I'm proposing is to do the private key part on the handheld computer.
GNU Privacy Guard would send only encrypted session keys to the handheld
computer. The handheld computer would then prompt the user for their
passphrase, decode the private key, decrypt the session key, and send it
back to the copy of GNU Privacy Guard running on the PC. Buttons that
rearrange themselves randomly on the touchscreen could be used to prevent
wear analysis of the unit to determine potential passphrases.

This could work similarly for signing, where the hashed message is sent to
the handheld to be hashed signed with the private key.

Potential Risks: 

* If only the hash is transmitted, a compromised machine could trick you
  into signing a document other than the one you intend to sign. I haven't
  proved a way to use a human readable document summary displayed on the
  handheld to make it more difficult to trick the user into signing an
  arbitrary document, but I'm sure it's possible.

* A compromised machine could trick you into decoding a message other than
  the one you intended to decode, unless the whole message was sent to the
  handheld. It might be possible to reduce this risk (at least for messages
  where the plaintext is human readable) by sending part of the symmetricly
  encrypted document to the handheld so the user can verify it before
  releasing the symmetric key to the PC.

* Probably more that I haven't thought of.

Potential Benefits:

* Unless both the handheld and the passphrase are compromised, messages and
  signatures must be compromised individually.

* The private key can't copied by a rogue process on the PC like it could
  with a floppy disk or flash memory card.

* Document summaries displayed on the handheld may tip off the key owner
  when a malicious third party is trying to decrypt a document or forge a 
  signature.

* Probably more that I haven't thought of. 

-- 
Brian Ristuccia
brianr at osiris.978.org
brianr at debian.org
bristucc at cs.uml.edu

More information about the Gnupg-devel mailing list