Another possible private key protection method

NIIBE Yutaka gniibe at fsij.org
Thu May 26 09:11:43 CEST 2016 

Hello,

I'm currently considering another private key protection method
(other than openpgp-s2k3-sha1-aes-cbc, openpgp-s2k3-ocb-aes, etc.).

I'm not sure if it's good for GnuPG, but in the context of Gnuk, it's
worth a try.

While we use AES (or some cipher) to encrypt a private key, the speed
of decryption to get private key is not that important, in this use
case.  In fact, we intentionally slow down the speed of the
computation of passphrase to private key (by a s2k function).

Here is the idea:

* Encryption

Input: PRIVATE_KEY of KEYSIZE
       PASSPHRASE
       SALT
       EXTRA_DATA
Output: ENCRYPTED_PRIVATE_KEY of KEYSIZE
        AUTHCODE of AUTHSIZE

(1) Have a seeded CSRNG (Cryptographically Secure Pseudo Random Number
    Generator), say, which is composed with SHA-2.  We feed PASSPHRASE
    + SALT + EXTRA_DATA as seed.  Note that the generation of random
    bytes is deterministic.

(2) For some predefined number of rounds (which matches enough
    computation time to prevent attack), we let generate as many bytes
    of random byte from the CSPRNG.

(3) Then, get another random bytes for private key and authcode
    (KEYSIZE+AUTHSIZE) from CSPRNG: RANDOM_DATA_FOR_KEY and
    RANDOM_DATA_FOR_AUTHCODE.

(4) Compute encrypted private key and authcode:

    ENCRYPTED_PRIVATE_KEY = RANDOM_DATA_FOR_KEY ^  PRIVATE_KEY
    AUTHCODE = RANDOM_DATA_FOR_AUTHCODE


It's something like the one-time pad system and a variant of Vernam
cipher.


* Decryption

Input: ENCRYPTED_PRIVATE_KEY of KEYSIZE
       AUTHCODE of AUTHSIZE
       PASSPHRASE
       SALT
       EXTRA_DATA
Output: PRIVATE_KEY of KEYSIZE

(1) Have a same seeded CSRNG.  We feed PASSPHRASE + SALT + EXTRA_DATA
    as seed.  If PASSPHRASE + SALT + EXTRA_DATA is correct, the CSRNG
    should generate exactly same sequence of random bytes.

(2) For some predefined number of rounds used in encryption process,
    we let generate as many bytes of random byte from the CSPRNG.

(3) Then, get another random bytes for private key and authcode
    (KEYSIZE+AUTHSIZE) from CSPRNG: RANDOM_DATA_FOR_KEY and
    RANDOM_DATA_FOR_AUTHCODE.

(4) Compute the private key and check against authcode

    if RANDOM_DATA_FOR_AUTHCODE == AUTHCODE
       PRIVATE_KEY = RANDOM_DATA_FOR_KEY ^ ENCRYPTED_PRIVATE_KEY
    else
       failure


Benefit for Gnuk is that we won't need to have AES implementation.
--

More information about the Gnupg-devel mailing list