On Thu, 2016-12-22 at 00:31 +0100, Arne Babenhauserheide wrote: > Hi, > > I just finished the basic implementation of a longterm plan I had: > portable WoT IDs, recoverable with a random password. > > → https://github.com/ArneBab/lib-pyFreenet-staging/commit/7a847a0e3db5 > 0948ae2b65ff8171401a0cd0cd9b > > Basic approach: > > - Upload the private key to KSK@<common prefix>-<14 letter password> > --recovery > - Upload metadata to USK@<public key>/<14 letter password>--<type of > metadata>/-1 > - recovery: download KSK, invert private key, retrieve metadata from > USK, re-create WoT identity > > It would be great if you could doublecheck whether I missed anything > which would spill your private key. The current password has an > entropy > of 75 bits — is that enough?
Enough for what? https://www.keylength.com/en/3/ You are naive if you think that you can ask users to give you 75 bits they can remember but others can't guess. > Is it somehow possible to decrypt parts of > the store at random in the hope of hitting a random uploaded private > key > (a variant of the birthday attack against the password which would > avoid > having to query the network for each check)? > Of course it is. Your scheme is completely broken; at the very least the "passphrase" should be salted, hashed and iterated... and yes, that means getting the user to remember the salt too. Florent
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
