Re: Traveling without a secret key (was: As a fan of GnuPG ... )
On Dienstag, 7. Juli 2020 22:42:07 CEST Stefan Claas wrote: > Let's say you travel a lot and do not want to risk that your secret key > gets compromised due to border control etc. > > One simply uses the program passphrase2pgp, from GitHub[1] and when creating > the key and the passphrase is needed, one simply issues: > > echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64 > and then one gets a string with an entropy of over 200, which is more than > secure. This would one IMHO allow to have a strong passphrase but generated > with an easy to remember password. I'm sorry, but you cannot increase the entropy of "simple password" by hashing it. What you propose is "security by obscurity". And that was never a good idea. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Traveling without a secret key (was: As a fan of GnuPG ... )
Regenerating your secret key like this is perhaps dangerous and easy to do wrong, for example you will probably leak it in your shell's history. If an attacker finds out this is your scheme, they can then start to brute force your secret key without need any access to your data, which happened with Brainflayer[1]. Since your secret key is stored symmetrically-encrypted with a passphrase, it's not game over if it gets leaked (e.g. border control). It is a concern that you could have leaked without knowing, and your passphrase could _eventually_ being cracked; better would be to put it on a smart-card like an Yubikey, which will only give Mallory a couple chances to guess before the tape self-destructs. [1] https://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/ On 2020-07-07T22:42:07+0200 Stefan Claas wrote 1.9K bytes: > Stefan Claas wrote: > > > ... you should try this out in your terminal and look at the beginning > > of the output: > > > > $ echo 1fccaf3d | xxd -r -p | openssl dgst -sha256 -binary | openssl enc > > -base64 > > I thought about this technique a bit for easy to remember passwords, which > can be converted to strong passwords. > > Let's say you travel a lot and do not want to risk that your secret key > gets compromised due to border control etc. > > One simply uses the program passphrase2pgp, from GitHub[1] and when creating > the key and the passphrase is needed, one simply issues: > > echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64 > and then one gets a string with an entropy of over 200, which is more than > secure. This would one IMHO allow to have a strong passphrase but generated > with an easy to remember password. > > Here's a little Go program, wich does this without the above commands, > so that it can be used on Windows without OpenSSL: > > package main > > import ( > "crypto/sha256" > "bufio" > "os" > "fmt" > "encoding/base64" > > "ekyu.moe/base91" > ) > > func main(){ > scanner := bufio.NewScanner(os.Stdin) > scanner.Scan() // use `for scanner.Scan()` to keep reading > src := scanner.Text() > hash := sha256.Sum256([]byte(src)) > fmt.Println(base91.EncodeToString([]byte(hash[:]))) > fmt.Println(base64.StdEncoding.EncodeToString(hash[:])) > } > > One simply starts the program and then types the easy to > remember password and presses enter and the program returns > a base91 and base64 string to choose from. > > And with passhprase2pgp one needs always to remember the > Unix Expoch Time, for key creation, so that always the > same secret key will be generated. > > [1] https://github.com/skeeto/passphrase2pgp > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Traveling without a secret key (was: As a fan of GnuPG ... )
Philihp Busby wrote: > Regenerating your secret key like this is perhaps dangerous and easy to do > wrong, for example you will probably leak it in > your shell's history. If an attacker finds out this is your scheme, they can > then start to brute force your secret key > without need any access to your data, which happened with Brainflayer[1]. > > Since your secret key is stored symmetrically-encrypted with a passphrase, > it's not game over if it gets leaked (e.g. border > control). It is a concern that you could have leaked without knowing, and > your passphrase could _eventually_ being cracked; > better would be to put it on a smart-card like an Yubikey, which will only > give Mallory a couple chances to guess before the > tape self-destructs. > > [1] > https://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/ Thanks for the valuable input! While the echo and OpenSSL commands leave it in your history, the Go program does not display it in history. Also, when using a Windows Computer, without gpg4win installed, this could maybe useful too, because nobody would see that you have GnuPG installed and one installs it only after arrival. Or one use this technique with other symmetric encryption software, or for login credentials and telling family and friends only the easy to use password prior departure, which then can also be changed daily with a scheme like password = 'Holidays Day 1', next day 'Holidays Day 2' etc. Well, just a thought ... because I thought about the entropy for a strong password, while it can be memorized easily. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Traveling without a secret key (was: As a fan of GnuPG ... )
Stefan Claas wrote: > ... you should try this out in your terminal and look at the beginning > of the output: > > $ echo 1fccaf3d | xxd -r -p | openssl dgst -sha256 -binary | openssl enc > -base64 I thought about this technique a bit for easy to remember passwords, which can be converted to strong passwords. Let's say you travel a lot and do not want to risk that your secret key gets compromised due to border control etc. One simply uses the program passphrase2pgp, from GitHub[1] and when creating the key and the passphrase is needed, one simply issues: echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64 and then one gets a string with an entropy of over 200, which is more than secure. This would one IMHO allow to have a strong passphrase but generated with an easy to remember password. Here's a little Go program, wich does this without the above commands, so that it can be used on Windows without OpenSSL: package main import ( "crypto/sha256" "bufio" "os" "fmt" "encoding/base64" "ekyu.moe/base91" ) func main(){ scanner := bufio.NewScanner(os.Stdin) scanner.Scan() // use `for scanner.Scan()` to keep reading src := scanner.Text() hash := sha256.Sum256([]byte(src)) fmt.Println(base91.EncodeToString([]byte(hash[:]))) fmt.Println(base64.StdEncoding.EncodeToString(hash[:])) } One simply starts the program and then types the easy to remember password and presses enter and the program returns a base91 and base64 string to choose from. And with passhprase2pgp one needs always to remember the Unix Expoch Time, for key creation, so that always the same secret key will be generated. [1] https://github.com/skeeto/passphrase2pgp Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users