I have a suggestion for tails, that will make it more useful for the masses, and still having it completely read-only.
And that is having, when the Tails OS starts up, there will be a password prompt. This password prompt will accept any password. This passsword is then used with PBKDF2 key strengtening to create a master key. Then this master key is SHA512d concatenated with a counter, creating a CSPRNG stream. (with a 32 bit counter there will be exactly 2 TB of randomness before it start to repeat) (ergo: the first 512 bits is: Sha512( PBKDF2(password) + 0 ) , second 512 bits = Sha512( PBKDF2(password) + 1 ), and so on). Then this CSPRNG stream is then used to create a PGP key, then a bitcoin keypair (with adress and such), then a Tor keypair, and then a few other keys, certificates and such needed for the system. Of course this should not be fed into /dev/random, instead other ways is needed to correctly inject this randomness in the key generation functions for OpenPGP and such. Of course, 2 different users starting up Tails and entering the identical password will of course get the same PGP key, same bitcoin keypair and such. But the main advantage is that you dont need to store anything. Even if your Tails installation media is seized, nothing can happen. You have your password, thats all that is needed to recreate your installation of Tails. Of course, the user needs to select a secure password. This also means any single tails installation media can be used by unlimited users. And that would also make it more interesting for internet cafés and such to install Tails on their public computers, since tails then become completely read-only but still users can get their PGP keys, bitcoin keys, and TOR keys and other keys by simply logging in with the password they chose when first starting to use tails at home. Best regards, Sebastian Nielsen
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
