Hi Stef,
Some points for discussion:
- The one major issue that I see with this proposal is that GKR
is normally installed along with the rest of the system (desktop
machine: machine install -> user setup -> keyring
install). At that time there may only be a tiny amount of
entropy in the system. So unless you're blocking the thread,
waiting for more entropy to come by, your RSA keys will be
vulnerable to brute-forcing.
- OTOH "lazy signing" means the keyring will be in an in-between
state for a day or so. You might have a UI message along the
lines of "Your keyring is not signed. This might be legitimate
if you only installed it in the last 24 hours, otherwise it
likely indicates that the keyring has been tampered with."
Frankly, I don't like this approach.
- In theory you don't need 2048 bits of entropy. You only need
the "effective key length" (I forget, I think it should be 192
bits in this case). But then you need a function in OpenSSL
that'll take that true entropy and generate a public key out of
it. I don't know if such a thing exists (it's easily to expand
the 192 bits into 2048 bits in a secure manner, e.g. with HKDF,
but then you need at least primality checking.)
- When you're signing with RSA someone needs to verify the
signature. And they will verify it against the public key. Isn't
the public key vulnerable to the exact same attacks you are
protecting against in the first place? Or are you thinking of
enabling export and offline storage of the public key?
- I don't remember the reasoning, but the best practice is to
use separate keys for encryption and signature.
Thanks,
Yaron
Date: Tue, 07 Dec 2010 10:25:18 -0600
From: Stef Walter <stefw collabora co uk>
To: "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
Cc: Nikos Mavrogiannopoulos <nmav gnutls org>
Subject: gnome-keyring Generating RSA keys from /dev/urandom
Message-ID: <4CFE5FEE 3070403 collabora co uk>
Content-Type: text/plain; charset=ISO-8859-1
I'm working on RSA key generation in gnome-keyring PKCS#11 stuff.
I'd also like to generate a single RSA 2048-bit key per user, which will
be used to sign and encrypt their PKCS#11 store. The reason for using PK
signing instead of a simple HMAC is so that we can verify things in the
store (like trust exceptions) without unlocking it, but then require an
unlock in order to modify it. Such a key would be generated at or around
the first login time.
In gnome-keyring we use libgcrypt. libgcrypt by default uses /dev/random
as a random source to generate the key. However this blocks for
unacceptable amounts (minutes to hours) of time when generating a 2048
bit RSA key.
GnuTLS, OpenSSL, NSS all use /dev/urandom to generate their RSA keys.
I'd like to make gnome-keyring also have this behavior. We can do this
easily by setting a flag for libgcrypt. But I want to make sure I get
appropriate feedback before doing this.
Any comments?
Cheers,
Stef
|
