Another possible private key protection method

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu May 26 20:45:46 CEST 2016


On Thu 2016-05-26 03:11:43 -0400, NIIBE Yutaka wrote:
> (1) Have a seeded CSRNG (Cryptographically Secure Pseudo Random Number
>     Generator), say, which is composed with SHA-2.  We feed PASSPHRASE
>     + SALT + EXTRA_DATA as seed.  Note that the generation of random
>     bytes is deterministic.
>
> (2) For some predefined number of rounds (which matches enough
>     computation time to prevent attack), we let generate as many bytes
>     of random byte from the CSPRNG.
>
> (3) Then, get another random bytes for private key and authcode
>     (KEYSIZE+AUTHSIZE) from CSPRNG: RANDOM_DATA_FOR_KEY and
>     RANDOM_DATA_FOR_AUTHCODE.

I don't think all CSPRNGs increase in cost as you move through the
stream.  I can imagine something i'd still call a CSPRNG that provides
random-access, given a seed and an offset.  So i think the defense
you're proposing depends heavily on the form of the CSPRNG, right?

It looks like your construction is a standard XOR-based stream cipher,
with some additional precomputation barrier, right?

Doesn't the construction imply that anyone flipping a bit in the
ciphertext (ENCRYPTED_PRIVATE_KEY) can trigger an effective bit-flip in
the cleartext?  the AUTHCODE appears to be present just to ensure that
the provided passphrase is correct, but doesn't actually authenticate
the validity of the private key material.

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160526/8fa9faa5/attachment.sig>


More information about the Gnupg-devel mailing list