I must have written it poorly. I never use the hash for authN, only to make any tamporing with keys evident. I'm not sure it is a requirement (pgp doesn't even bother making these checks) but I wanted to be extra careful :)
On Jun 14, 2010, at 1:22 AM, Jeffrey Walton <[email protected]> wrote: > Hi Thor, > > I'm probably splitting too fine a hair here... > > The SHA256 hashing of the private key may not result in authenticity > assurances on the key (if I'm reading it correctly). I believe that's > an Athenticate-then-Encrypt scheme, and the details of the > interactions in AtE can be tricky. Hugo Krawczyk evaluated similar AtE > systems (for example, SSL) in The Order of Encryption and > Authentication for Protecting Communications. The two AtE schemes > which are provably secure are (1) a block cipher operated in CBC mode, > and (2) stream ciphers which XORs data with a pseudorandom pad. > > I can see where the hash might satisfy the psuedo random pad, but I > don't see the stream cipher in the equation. Perhaps a more > traditional Encrpyt-then-Authenticate (for example, IPSec) might be > useful for TGP. [At least TGP is not using Authenticate-and-Encrypt, > which Krawczyk proved insecure (for example, early SSH)]. > > If your using SHA-256 as the PRF of a KDF, then TGP might be reducing > the security of the system protecting the private assymmetric key (I'm > presuming AES-256 was chosen for a reason). AES-256 provides a > security level of ~2^255, while SHA-256 provides ~2^128. Its mostly a > theoretical observation: I'd attack the password/passphrase before > attempting pre-image attacks on the hash. [After all these years, > SHA-160 has only been reduced to ~2^50 from a theoretical 2^80, and > 2^50 is still beyond my reach]. > > Jeff > > On Sun, Jun 13, 2010 at 5:44 PM, Thor (Hammer of God) > <[email protected]> wrote: >> >> This is what I’ve been talking about... Here is the first part of >> the docs I wrote up - make sure you see that I'm not yet supportin >> g huge files unless you have huge RAM. **.Net 4.0 Client profile >> is required to run this.** >> >> Right now the install bits are only available on the pilot site at: >> http://www.owa.hammerofgod.com >> in the downloads section. I have to wait on Raging Haggis to >> return from Canada before posting on www.hammerofgod.com . >> >> Here's a bit from the TGP Overview document included with the >> install and on the web site. Please read through it before asking >> silly questions. :) >> >> Also, feel free to hack it up as much as you would like. I know >> this is full disclosure, so feel free to zing them at me, or if you >> prefer, I can work with you on any issues you might have >> >> Remember, this is totally free, so my ability to handle custom >> requests will be limited. For those looking to break it, I would >> look at fuzzing the XML documents and the "drag and drop public >> XML" parsing feature. >> >> If you have questions or challenges about any of the security, I >> would ask to keep it on the list so that everyone can get the full >> benefit of productive security development. The read-me should >> pretty much lay everything out for you. If not, we'll take it up >> from there. >> >> t >> >> >> >> >> >> TGP – “Thor’s Godly Privacy” >> >> 06/13/10 v1.1.06 >> >> >> >> TGP is a small yet very powerful encryption utility. With all eyes >> on “the cloud,” I decided to write an encryption application >> better suited to an environment where portability and security wer >> e, at the least, challenging. In cloud computing, not only is th >> e use of file structures becoming more abstract, but the very conc >> ept of a “file server” is becoming more and more ubiquitous. >> >> >> >> As such, I designed TGP with “encryption for the cloud” in >> mind. That means that not only does TGP do everything your normal >> PGP-type applications do, but it does things a bit differently – >> differently in a way that can change the way you work with your en >> crypted data. At the simplest level, this is done by encrypting d >> ata into byte arrays, and then converting those byte arrays into B >> ase64 encoded text wrapped inside XML tags. In this way, not only >> do you get your typical file-based encrypted representation of yo >> ur data, but you also get data that you can copy and paste directl >> y into any email, mailing list, blog-page, or social networking site. >> >> >> >> What I think is interesting about this is that if we choose to, we >> no longer have to be the custodians of our encrypted data – we don >> ’t have to worry about actually housing the files: we can just pos >> t them to the internet and let someone else assume the burden of s >> toring the files for us. >> >> >> >> If I want to share encrypted files with someone or secure my own >> files, all I have to do is TGP encrypt the data I want, and post it >> to a mailing list somewhere. In the case of a list like Bugtraq or >> Full Disclosure, the data is actually automatically replicated out >> to any number of archive sites, thus distributing my data for me. >> I can literally be anywhere in the world and just do a quick search >> for my post to retrieve my data. And since the TGP public key >> files are also text representations of encrypted key data, I can do >> the same with my keys. >> >> >> >> Normally, you want to keep your private keys as safe as possible. >> This is still the case with TGP. However, it is trivial to build >> as many private keys as you wish to use for anything you want to >> use them for. TGP Private Key files are password protected and >> individually salted, so with a strong passphrase you have very >> reasonable assurance that no one is going to get to your key any >> time soon. So, you can create a private key with a strong >> password, post that, and then, say, encrypt a scan of your passport >> and post that. Then if you are ever in a pinch while travelling or >> something like that, you can simply use Google or Bing to access >> your data wherever you are. >> >> >> >> Of course, that’s just an example, but I think it illustrates the >> power of encrypted file structures like this. You can literally u >> se Facebook to post encrypted documents that you don’t have to mai >> ntain. >> >> >> >> That’s really the main different between TGP and an application li >> ke PGP. That and of course, TGP is free, and personally, I think >> PGP is tardware. It’s bloated, it’s far too expensive, it’s >> hard to use, and if you don’t watch your licensing, you can get sc >> rewed hard like I did when I didn’t want to buy the extended suppo >> rt and one day my encrypted drives stopped working until I paid th >> em. That doesn’t fly. TGP also doesn’t require that you are an >> admin to install. However, the .NET installer for the 4.0 client >> profile does – that’s not my doing. Regardless, here are the >> file structures TGP uses: >> >> >> >> Things that still suck about TGP >> >> Currently TGP uses a memory stream for the destination of the AES >> cryptostream. This sucks because it makes the maximum file one can >> encrypt based on available memory. It’s not a huge deal, but it d >> oes keep you from encrypting a gigabyte file. I’ll be changing th >> at soon. >> >> >> >> Timothy “Thor” Mullen >> >> Hammer of God >> >> [email protected] >> >> www.hammerofgod.com >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
