Hello, I will read your suggestion later. For now, let me reply to a question.
[email protected] wrote: > However, as Gnuk is currently implemented, if the key was copied from > the device still in it's encrypted state, is it possible to know when > the data is successfully decrypted by applying AES decryption with > guessed PINs? IE: Can you know when successfully decrypted because you > see a specific header byte sequence? Let me explain. Terms: KDF: Key Derivation Function KEK: Key Encoding Key DEK: Data Encoding Key AEAD: Authenticated Encryption Here is a figure: Passphrase --[KDF on your computer + on the device]--> KEK KEK --> [AES decryption] --> DEK ^ Encrypted | key -----/ DEK --> [AEAD decryption] --> private key material ^ Encrypted | private key --/ with authentication tag (stored in the flash memory of the device) With AEAD, it determines that the decrypted data has correct or not. In the situation where the all data is extracted from MCU (somehow), brute force attack with guessed DEK (or KEK) is possible, and brute force attack with guessed passphrase is possible, too. With Gnuk, computation of KEK is done togerther with the host computer and the device (when configured correctly). KDF on the device side uses (32-bit from 96-bit) unique ID of MCU. When the host computer is cracked, passphrase might be known. In this case, private key material may be aquired using the passphrase, and the information (or guessing) of unique ID. When the USB communication is tapped and monitored, partially computed KEK might be known. In this case, private key material may be aquired by a bit of brute force attack with partially computed KEK, and the information (or guessing) of unique ID. -- _______________________________________________ Gnuk-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnuk-users
