[Gnuk-users] gnuk-users Digest, Vol 107, Issue 3

Thu Jan 11 20:26:24 UTC 2018

That's why tamper resistance is such a critical assumption -- otherwise you
can't use a short PIN. If you know the hardware is tamper-resistant, then
you can trust that the attacker will never obtain a copy of the ciphertext,
so you don't have to worry about offline brute-force attacks *even for a
6-digit PIN*. Instead you can trust that the retry lockout asserted by the
tamper-resistant hardware will prevent more than three incorrect tries,
which is not impossible to do but a reasonable tradeoff given the
significant usability of needing to remember only a short PIN. (I believe
the math is (999999÷1000000)×(999998÷999999)×(999997÷999998) = 99.9997%
chance of getting locked out rather than correctly guessing 6 numeric
digits, given a maximum of three attempts.)

> I was however assuming you are using a proper
> good passphrase for your GnuK.

If you still need a good passphrase, then there is no usability benefit
over pure desktop GnuPG -- in either case the experience is "start GPG
operation, enter long passphrase into pinentry dialog on desktop, complete
GPG operation."

There is a small bit of additional security from the fact that the private
key lives in a physical home that you can take with you or lock in a
lockbox. But if the threat model includes exfiltration of the encrypted
private key from that physical home, then that additional security is
largely imaginary; moreover, you don't need GnuK to make it possible to
lock a copy of your GPG key in a box.

On Thu, Jan 11, 2018 at 10:59 AM Peter Lebbing <peter at digitalbrains.com>
wrote:

> On 11/01/18 19:38, Mike Tsao wrote:
> > They are inexpensive and they replace a
> > strong stretched passphrase with a short unstretched PIN that's easy to
> > memorize and enter.
>
> Well, if you're not worried about brute-force attacks on extracted
> encrypted keys, sure, you can use a short unstretched PIN. I was however
> assuming you are using a proper good passphrase for your GnuK. I haven't
> looked at the key derivation function of GnuK, but I know that this area
> is under construction to be improved by letting the host PC do (part
> of?) the KDF. So even if right now the KDF isn't as good as you want,
> this is already being worked on.
>
> With a good KDF, there is no problem with brute-forcing, known plaintext
> or no.
>
> >   * Valuable asset...
> >   * That is encrypted by a brute-forceable PIN...
>
> As you say, this is unsolvable, might as well not encrypt it at all. It
> is not the assumed usage of GnuK, it is assumed you use a good
> passphrase rather than a PIN if you're worried about data extraction.
> Luckily, nobody is forcing you to use a PIN :-).
>
> With a 6-digit PIN, the time needed to crack is inherently only 500,000
> times slower than that of regular use, *irrespective* *of* *stretching*.
> Even if you were to accept a totally painful delay of 10 seconds on
> passphrase entry, that /same/ computer could necessarily crack it after
> on average just two months of computation. A dedicated cracking rig
> would be much quicker even, so these numbers are unrealistically benign.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20180111/63de4b0c/attachment-0001.html>