opie or s/key with gpg? (fwd)

David Shaw dshaw at jabberwocky.com
Wed Oct 8 15:11:24 CEST 2003

On Tue, Oct 07, 2003 at 09:38:38PM -0700, Atom 'Smasher' wrote:

> let's say we have the count at 123, the password="p", the seed="s", so the
> opie-secret-keyring is symmetrically encrypted, with a password based on
> the final hash value of opie(p,s,124).
> so, after a successful OTP is given to [an opie version of] gpg, let's
> decrypt the secret key (from the opie-secret-keyring) so it's available to
> gpg to do it's thing, and then re-encrypt the opie-secret-keyring, this
> time with a password based on opie(p,s,123) (the current OTP). the next
> valid OTP is #122.
> in other words, the opie-secret-keyring is symmetrically encrypted, using
> a password which is based on the final hash value of opie as it's
> password. every time the opie-secret-keyring is accessed, the file is
> decrypted (otherwise the key can't be accessed), then re-encrypted with
> it's new password based on the final hash value of opie.
> now the opie-secret-keyring is encrypted with a password based on
> opie(p,s,123), and entering the right opie-password (based on a count of
> 122) will decrypt it, make the key available, and then re-encrypt it with
> a password based on the final hash of opie(p,s,122). the opie counter is
> now at 121.

To steal a a secret key, the attacker needs both the encrypted key
file, and the passphrase.  Using OTP doesn't make it any harder or
easier for the attacker to get the encrypted key file, so let's look
at the passphrase:

It's a given that "regular" GnuPG passphrases can be sniffed off of
the wire (or via a keyboard bug, or countless other variations), and
so can a one-time passphrase.  The point of one-time passphrases is
that they are only able to be used once and cannot be re-used a second
time.  There is no point in sniffing such a one-time passphrase, since
it won't be usable later.

However, in the system you suggest above, a OTP *can* be re-used.  The
problem here is the downwards count.  Any OTP x is capable of being
transformed into any OTP x+n.  A stolen encrypted key file encrypted
with OTP x can be decrypted by any OTP n where n < x by hashing the
OTP x-n times.

The only case where the proposed system is more secure than the
current system is if the attacker sniffs a passprase, and then later
goes back for the encrypted key file.  If the attacker steals the
encrypted key file at the same time he sniffs the passphrase, or
steals the encrypted key file before sniffing the passphrase then the
proposed system is effectively the same as the current design.

You seem to have realized this as well:

> if an attacker gets a copy of the opie-secret-keyring, and sniffs any OTP
> that's newer than the file, that sniffed OTP can be used to generate
> previously used OTPs (which can unlock the file). this requires that the
> opie secret password and string are the same, both the time that the file
> is stolen, and the time that the password is sniffed. however, if an
> attacker has access to both the opie-secret-keyring AND your password,
> then you're hosed anyway. this method DOES NOT protect you in the event
> that your opie-secret-keyring can be read by an attacker; it ONLY protects
> your password from being replayed. of course, i'm not sure how useful the
> password would ever be, without a copy of the encrypted secret keyring, so
> maybe the whole thing makes no sense.... maybe all of this rambling is
> pointless anyway?

Not pointless.  It's possible to construct examples where OTP could be
useful (say, a signing service or decryption server that does not give
general access to the encrypted secret keyring), but it is not
generally useful as a passphrase-protection mechanism.


More information about the Gnupg-users mailing list