[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: don't use passwords as private keys (was Re: Using a password as a private key.)

>Harv "RedRook" (is that Harvey Rook?) writes:
>> You don't know you have to destroy a key file, until it is too late.

At 02:43 PM 10/30/98 GMT, Adam Back wrote:
>Sooo.  What does this imply you should do?  
>Destroy your key file on a regular basis :-)
>This means that if someone were (say like GCHQ or ECHELON) were to be
>archiving my email, and later develop an interest in reading it, they
>would be out of luck.  And I wouldn't be able to help them if I wanted to. ...
>Forward secrecy means that only the current key file is vulnerable.

Forward secrecy for encryption keys is a really important technique;
as you say, nobody can go back later and force you to reveal the key.
Forward secrecy for signature keys is less useful (:-), since it means
that you can't later sign a document using an old key.  (Occasionally
this may be bad - e.g. court cases demonstrating you signed something -
but it also means nobody can forge an old signature of yours.)

In any Forward Secrecy environment, it tends to help to have multiple keys,
with a long-term key that's only used for signing short-term keys.
The classic example is Authenticated Diffie-Hellman key exchange,
with one-use session keyparts signed by your signature key
(ideally with the signatures passed inside the encrypted session
rather than beforehand in the clear.)  

One difficulty is proving that you don't have a backup copy of the keyfile,
on tapes, or hidden, or printed on paper stuck in a desk drawer.
Proving that _you_ didn't make a copy is usually impossible,
and knowing whether somebody else has a copy of things is a problem
Ollie North has dealt with (:-) ; if you're running your own PC,
physically secure, then you're at least as secure as your network connections.

Another issue for Kong and other systems with keys made from a
passphrase and keyfile is whether to reuse either of them
in a forward secrecy environment.  It's sometimes convenient
to use the same passphrase and change keyfiles every cycle,
but that depends on your threat models.

>Your passphrase might not be as secure as you think it is. 
>The sound of you typing it whilst on the phone, or the RF noise 
>emitted by the keyboard controller chip may completely or partially leak it.

If you're worried about RF noise, you have to assume the CPU or disk
is also radiating enough for the spooks.  On the other hand,
that video camera in the ceiling can watch your keystrokes,
but can't watch the CPU.  That's when the paranoids worry about
whether the KGB is sneaking in and copying their disk drive at night,
and they start getting encrypted file system software. :-)

Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639