[messaging] Multiple devices and key synchronization: some thoughts

Sam Lanning sam at samlanning.com
Sat Jan 3 12:30:22 PST 2015 


On 03/01/15 20:05, Trevor Perrin wrote:
> On Sat, Jan 3, 2015 at 10:04 AM, Sam Lanning <sam at samlanning.com> wrote:
>>
>> When prompted to create a new ID, a user enters their full name, and a
>> password (with appropriate UI to encourage strong passwords). Now this
>> data is then solely used to generate pseudorandom data for key
>> generation of the master keypair. (e.g. using PBKDF2)
> 
> This means anyone who receives or sees one of your messages can
> attempt  password cracking.
> 
> It would probably have the same useability and better security if you
> generated the master key through a secure RNG, then encrypted the
> master private key with the password and synchronized the encrypted
> blob to your devices through some service.
> 
> Then only the service could attempt password cracking.
> 
> I'm not taking a position whether any of this is a good idea.
> User-chosen passwords are often weak.  But this flexibility is at
> least possible with the "synchronize the master private key" between
> devices approach, which I've been advocating.
> 
> 
> Trevor
> 

Infact, we could get the exact same usability if we used a single
password for the encryption and authentication to 3rd party service.

We could do something like this:

   password + hashed name / email as salt
    -> PBKDF2 (n rounds)
    -> authentication keypair (for 3rd parties where encrypted data is
       stored).
    <-
    obtain encrypted data + salt

   password + salt
    -> PBKDF2 (n rounds)
    -> encryption key (symmetric)

This still allows for:

* never storing master key unencrypted anywhere
* everything else I mentioned in my previous message.

But also means:

* only the third party service can attempt password cracking.
* your identity does not depend on your password

The only downside this has compared to the previous idea is that you
rely on a 3rd party service for availability, which is probably fine as
everything nowadays does anyway...

Sam.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150103/d4215e24/attachment.sig>

More information about the Messaging mailing list