Florent Daigniere writes:

> On Thu, 2016-12-22 at 00:31 +0100, Arne Babenhauserheide wrote:
>> Hi,
>> 
>> I just finished the basic implementation of a longterm plan I had:
>> portable WoT IDs, recoverable with a random password.
>> 
>> → https://github.com/ArneBab/lib-pyFreenet-staging/commit/7a847a0e3db5
>> 0948ae2b65ff8171401a0cd0cd9b
>> 
>> Basic approach:
>> 
>> - Upload the private key to KSK@<common prefix>-<14 letter password>
>> --recovery
>> - Upload metadata to USK@<public key>/<14 letter password>--<type of
>> metadata>/-1
>> - recovery: download KSK, invert private key, retrieve metadata from
>> USK, re-create WoT identity
>> 
>> It would be great if you could doublecheck whether I missed anything
>> which would spill your private key. The current password has an
>> entropy
>> of 75 bits — is that enough?
>
> Enough for what?

For the usecase I explained: preventing attackers from finding private
keys via brute force attacks.

> https://www.keylength.com/en/3/

That site is great! I searched for something like this quite a bit…

Following the ECRYPT II recommendations, I should go for at least 160
bits, since I cannot use a salt.

However I’m not sure about this, because I do not have a good enough
grip on the cost for attacking KSK keys in Freenet. That’s why I ask.

> You are naive if you think that you can ask users to give you 75 bits
> they can remember but others can't guess.

Did you really think that I ask the user? I generate a random
password. How would I be able to give an entropy estimate otherwise?

>>  Is it somehow possible to decrypt parts of
>> the store at random in the hope of hitting a random uploaded private
>> key
>> (a variant of the birthday attack against the password which would
>> avoid
>> having to query the network for each check)?
>> 
>
> Of course it is. Your scheme is completely broken; at the very least the
> "passphrase" should be salted, hashed and iterated... and yes, that
> means getting the user to remember the salt too.

The passphrase must be as strong as would be needed for passphrase plus salt.

For hashing and iterating: Is that of practical utility when I’m
sticking the password into a KSK in the end? Isn’t the cost of attacking
the KSK much higher than the cost of hashing and iterating?

(this is my core question here: what’s the cost of attacking a randomly
generated KSK?)

Best wishes,
Arne
_______________________________________________
Devl mailing list
Devl@freenetproject.org
https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Reply via email to