On 28 February 2015 at 06:24, Jonathan Rudenberg <[email protected]> wrote:
> > > On Feb 27, 2015, at 10:08 AM, Nadim Kobeissi <[email protected]> > wrote: > > > > This is why it's better, I think, to focus on ensuring that the > passphrase space search *itself* is exceedingly expensive in the first > place, hence the strict passphrase requirements and the strong scrypt > derivation rounds. > > I’m not sure how publishing passphrase-encrypted private keys to the world > (in the public key form of “brain keys”) can be *better* than restricting > access to encrypted random private keys to a server that is already > privileged with access to communications metadata. As long as the algorithm > and passphrase entropy is exactly the same for both, storing encrypted > random private keys on a server somewhere is *strictly better* than using > the equivalent “brain key”. Am I missing something? > I think Nadim's point is that the encrypted storage can lull people into a false sense of security so they use a weak passphrase for the encryption. Building the system so as to be secure in the "offline attack is possible" scenario means it will still be secure in the "server protects against offline attack" scenario. The benefit of allowing server side key storage is that it opens up a bit more flexibility in how the keys are generated. You could still generate the key from a passphrase but using a very high stretching cost (i.e. $1 per guess) and then encrypt it at a much lower cost so that your mobile device could use it.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
