Securely backing up GPG private keys... to the cloud. Joey Hess LibrePlanet 2017

Similar documents
Securely backing up GPG private keys

Understanding how to prevent. Sensitive Data Exposure. Dr Simon Greatrix

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

INSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Argon2 for password hashing and cryptocurrencies

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Password Cracking via Dictionary Attack. By Gaurav Joshi Mansi Nahar (Team: RubberDuckDebuggers)

BITLOCKER MEETS GPUS BITCRACKER

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Authentication. Steven M. Bellovin January 31,

Implementing Cryptography: Good Theory vs. Bad Practice

Cryptography for Software and Web Developers

Garantía y Seguridad en Sistemas y Redes

Censorship-Resistant File Storage

Lecture 4: Hashes and Message Digests,

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Criptext s end-to-end encryption system. Technical white paper

Cryptographic Hash Functions. Secure Software Systems

1.264 Lecture 28. Cryptography: Asymmetric keys

Encryption I. An Introduction

Authentication. Steven M. Bellovin September 26,

CS 161 Computer Security

Software Vulnerability Assessment & Secure Storage

n-bit Output Feedback

CSCE 715: Network Systems Security

WHITE PAPER. Authentication and Encryption Design

PYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptography (Overview)

Parallelizing Cryptography. Gordon Werner Samantha Kenyon

Dashlane Security White Paper July 2018

18-642: Cryptography 11/15/ Philip Koopman

Exceptional Access Protocols. Alex Tong

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Computer Security: Principles and Practice

Encrypting stored data

CS 161 Computer Security

Bitcoin, Security for Cloud & Big Data

PASSWORDS & ENCRYPTION

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Secret-in.me. A pentester design of password secret manager

HOST Authentication Overview ECE 525

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Overview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

SCRAM authentication Heikki Linnakangas / Pivotal

CNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks

Efficient Memory Integrity Verification and Encryption for Secure Processors

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

SCRAM authentication Heikki Linnakangas / Pivotal

CSC 580 Cryptography and Computer Security

NetPGP BSD-licensed Privacy. Alistair Crooks c

Core Security Services and Bootstrapping in the Cherubim Security System

Practical Aspects of Modern Cryptography

OneID An architectural overview

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

CSE 127: Computer Security Cryptography. Kirill Levchenko

Password. authentication through passwords

UNIT - IV Cryptographic Hash Function 31.1

Pass, No Record: An Android Password Manager

CS 161 Computer Security

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CloudSky: A Controllable Data Self-Destruction System for Untrusted Cloud Storage Networks

BreakingVault SAP DataVault Security Storage vulnerabilities

Security Specification

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

RSA. Public Key CryptoSystem

EEC-484/584 Computer Networks

Bluefly Processor. Security Policy. Bluefly Processor MSW4000. Darren Krahn. Security Policy. Secure Storage Products. 4.0 (Part # R)

Cryptography. Cryptography is much more than. What is Cryptography, exactly? Why Cryptography? (cont d) Straight encoding and decoding

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Encryption Details COMP620

Introduction to Symmetric Cryptography

Lecture 1: Course Introduction

User Authentication Protocols Week 7

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Passwords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.

SecureDoc Disk Encryption Cryptographic Engine

TIBX NEXT-GENERATION ARCHIVE FORMAT IN ACRONIS BACKUP CLOUD

Securing the Frisbee Multicast Disk Loader

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

MTAT Applied Cryptography

Misuse-resistant crypto for JOSE/JWT

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Single Sign-On Showdown

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Security context. Technology. Solution highlights

Attribute Based Encryption with Privacy Protection in Clouds

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

ESP Egocentric Social Platform

HASHING AND ENCRYPTING MANAGER CONTENT

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Transcription:

Securely backing up GPG private keys... to the cloud Joey Hess LibrePlanet 2017

Imagine if everyone used GPG

In a world where everyone has a GPG key...

In a world where everyone has a GPG key... Everyone has a key backup problem.

GPG key backup methods Print out GPG key paperkey(1) Hard to back up Hard to restore Backup $HOME to encrypted cloud storage obnam(1) / attic(1) Encrypted using what key? Backup $HOME to cloud storage GPG passphrases easily cracked Shard and store on USB drives, etc, scattered here and there Not automated

GPG key backup methods Don t back up GPG key Common approach

GPG key backup methods Don t back up GPG key Common approach

keysafe GPG key backup to cloud servers Securely Easily

keysafe backup (1/4)

keysafe backup (2/4)

keysafe backup (3/4)

keysafe backup (3/4)

keysafe backup (4/4)

keysafe restore (1/4)

keysafe restore (2/4)

keysafe restore (3/4)

keysafe restore (4/4) Wait 25 minutes to 1 hour for decryption...

keysafe s building blocks argon2 Shamir Secret Sharing AES The Cloud Tor zxcvbn

argon2 Password hash Password Hashing Competition winner (2015) https://password-hashing.net/ Tunable difficulty Iterations Memory use Threads Memory-Hard GPU and ASIC cracking resistance

Shamir Secret Sharing Boring 70 s technology Also completely awesome secret share share share secret

From secret to storable objects AES key secret + checksum + size AES pad to multiple of 32 kb encrypted data chunk chunk (chunks are 32 kb) Shamir Shamir (share numbers omitted) share share share share share share

From objects to secret AES key secret + checksum AES unpad encrypted data chunk chunk Shamir Shamir share share share share

AES key generation Password Name Other name 1 random byte salt argon2 12 seconds AES key

AES key recovery Password Name Other name 0-255? salt argon2 25 minutes (average) AES key

Password cracking cost 50 minutes work per guess to generate all 256 possible AES keys Weak password (30 entropy) 51072 CPU-years Bad password (19 entropy) 25 CPU-years

Layered defenses A. Password B. Object IDs C. Keysafe servers

Keysafe servers Store only fixed size objects (no large data) Store an object by ID Retrieve object by ID No object ID enumeration Self-tuning proof of work to access Accessible only via Tor

Keysafe servers Other server requirements and best practices (warrant canary) https://joeyh.name/code/keysafe/servers/ As long as 2 of 3 keysafe servers are uncompromised, no mass password cracking. Best hosted by well-known, broadly trusted organizations.

Object ID generation Name Other name Keyid combined name salt argon2 10 minutes base ID +1 sha256 ID1 +2 sha256 ID2 +3 sha256 ID3

Object IDs Attacker needs object IDs to download objects from servers Each name guess takes 10 minutes CPU time to calculate object IDs Two colluding servers can perform a correlation attack to find related object IDs Servers don t record timestamps, or keep logs, to prevent correlation attacks after the fact

Current status keysafe client and server implementation in Haskell (3600 LoC) In Debian (experimental) Needs more design and implementation security review Three keysafe servers 1) Purism 2) Faelix 3) Mine at Digital Ocean More servers needed

Is keysafe safe enough?

Human Limitations Then it constructed a signature for the new citizen two unique megadigit numbers, one private, one public and embedded them in the orphan s cypherclerk, a small structure which had lain dormant, waiting for these keys. Greg Egan, Diaspora

keysafe https://joeyh.name/code/keysafe/ Thanks https://patreon.com/joeyh

Bonus: Option for the more paranoid Generate 6 shares, with 4 shares needed to recover GPG key Store 3 on keysafe servers Store 3 locally 1 local share + 3 from servers 3 local shares + 1 from server 64kb share can be stored locally in a variety of hard to detect ways End of partition Stenanography

Bonus: Future proofing keysafe Decisions, decisions argon2 tuned to take 12 seconds on modern hardware argon2 tuned to take 10 minutes on modern hardware Shamir with 2 of 3 shares 1 byte random salt AES 256 CBC May need to change in future in a new version Version number metadata would allow partitioning shards Solution: Varry object ID generation argon2 memory use parameter depending on version

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback