Hi all, I just wanted to ask a question about RSA keys.
I'm working on a peer to peer software project where public key cryptography is required to enable peer to peer authentication (at connection time the peers will sign a random challenge string to each other to prove their identity). There is a trusted central node which has all the public keys. We want our software to be really easy to use. To that end, we don't want to make the users have to look after their private keys. Also, since the product relates to data backup, we have to assume they will have lost their hard drive. We also don't want to store the Private Keys on the trusted central node (so we can truthfully say that we don't hold any of user's secrets). So, really all we want is that they have to remember a single password. So, to summarise, the requirements are: * Peers have to authenticate to each other (a trusted third party is available) * Peers must only need to remember a standard password (e.g. "abacus123") * Peers should not need to store RSA private keys anywhere at all (including on the trusted server) What we're proposing is as follows: 1) We initialise the random number generator (RNG) with the user's password (yes it will be a cryptographic RNG) 2) We generate the RSA keys from the primed RNG So, if they have hardware failure, they just need to re-enter their password and they'll get back their RSA private key (by re-priming the RNG and repeating the generation). I have two questions. Question 1 ------------------ What I'd like to know is, how insecure is our proposed scheme? Now, I totally understand that the "theoretical" answer is probably going to be "This is a bad idea because the randomness of your RNG has been compromised". However, what I'd really like to understand is what is the *real world* insecurity is. For example, if you're saying that you'd have to be a crytographic expert to be able to take advantage of this knowlege (i.e. that the RNG was primed with a password), then perhaps we might live with that. What I'm saying is that, I think this may be a trade off between usability and and security and I want to understand how much security we lose doing this. Question 2 ---------------- Can anyone suggest an alternative/better scheme which meets the requirements above? i.e. peers authenticating to each other using just a password? [I'm guessing that using hashes of passwords is a really bad idea because of play-back attacks] Thanks in advance for any help. John
_______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde