Another possible private key protection method
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 26 20:45:46 CEST 2016
On Thu 2016-05-26 03:11:43 -0400, NIIBE Yutaka wrote:
> (1) Have a seeded CSRNG (Cryptographically Secure Pseudo Random Number
> Generator), say, which is composed with SHA-2. We feed PASSPHRASE
> + SALT + EXTRA_DATA as seed. Note that the generation of random
> bytes is deterministic.
>
> (2) For some predefined number of rounds (which matches enough
> computation time to prevent attack), we let generate as many bytes
> of random byte from the CSPRNG.
>
> (3) Then, get another random bytes for private key and authcode
> (KEYSIZE+AUTHSIZE) from CSPRNG: RANDOM_DATA_FOR_KEY and
> RANDOM_DATA_FOR_AUTHCODE.
I don't think all CSPRNGs increase in cost as you move through the
stream. I can imagine something i'd still call a CSPRNG that provides
random-access, given a seed and an offset. So i think the defense
you're proposing depends heavily on the form of the CSPRNG, right?
It looks like your construction is a standard XOR-based stream cipher,
with some additional precomputation barrier, right?
Doesn't the construction imply that anyone flipping a bit in the
ciphertext (ENCRYPTED_PRIVATE_KEY) can trigger an effective bit-flip in
the cleartext? the AUTHCODE appears to be present just to ensure that
the provided passphrase is correct, but doesn't actually authenticate
the validity of the private key material.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160526/8fa9faa5/attachment.sig>
More information about the Gnupg-devel
mailing list