[messaging] Peerio

Nadim Kobeissi nadim at nadim.computer
Fri Feb 27 10:08:25 PST 2015 

On Fri, Feb 27, 2015 at 6:38 PM, Trevor Perrin <trevp at trevp.net> wrote:

> On Thu, Feb 26, 2015 at 1:36 PM, Nadim Kobeissi <nadim at nadim.computer>
> wrote:
> >
> > I think storing the private key in the user's brain, in the form of a
> > passphrase, is more secure than having it lying around on every computer
> > they use for crypto in the form of a PGP key file.
>
> I don't see that.  With respect to offline passphrase cracking, the
> peerio approach seems less secure than the PGP approach:
>
> Having a passphrase-encrypted private key "lying around on every
> computer they use" - like PGP - means offline-cracking can only be
> attempted by attackers who steal that file.
>
> Having a passphrase-generated private key - like peerio - means
> offline-cracking can be attempted by anyone who sees your public key.
>
> So the peerio approach has the same security as if you were
> transmitting your private-key file alongside your public key, which
> exposes it *much* more widely.
>
>
>
> > Deriving private keys
> > from a strong passphrase offers an ephemeral portability, where I can
> carry
> > my key identity with me in my head, use it on any computer, without
> > permanently any private key information on said computer (that is, unlike
> > PGP.) When I'm using a trusted friend's computer, or when I buy a new
> one, I
> > can be all set just by entering my passphrase and logging in like I'd log
> > into Gmail or Facebook. I think this is very important for people to be
> able
> > to do.
>
> OK, so you want anyone to be able to login to the peerio service, from
> a new computer, with just their user-chosen passphrase.  That can be
> easily done *without* a passphrase-generated private key:
>  - private keys are generated at random
>  - the service stores a passphrase-encrypted private key
>  - after login, the passphrase-encrypted private key is fetched by the user
>
> This has the same useability as your solution, but doesn't enable your
> correspondents to attempt offline password-cracking.  So
> passphrase-generated private keys in peerio still seem strictly
> inferior to the traditional approach (generating keys from a strong
> RNG).
>
> What am I missing?
>

This is by no means a bad idea. But considering the server as part of the
adversarial model, this proposition doesn't seem to help much, since:

Anyone with access to the server can simply hoover up all the
passphrase-encrypted private keys, and then try to crack them in the same
way by searching through the space of possible passphrases. This is why
it's better, I think, to focus on ensuring that the passphrase space search
*itself* is exceedingly expensive in the first place, hence the strict
passphrase requirements and the strong scrypt derivation rounds.

That being said, I'm not opposed to switching to that model of storing an
encrypted copy on the server; I just see the two solutions as (more or
less) equivalent, since we consider (as much as we realistically can) that
servers are part of the adversary.


>
> Trevor
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150227/2f556fff/attachment.html>

More information about the Messaging mailing list