undefined | Better HN

0 pointsmaxtaco12y ago0 comments

We seem to have hit a real nerve here. I ask everyone to question their assumptions just for a moment. If you post a public key, you are letting the world see p*q. Is it insane to let some people see AES_k(p,q) if k is 256 random bytes? If you think yes, then you are making a strong judgment about the relative difficulty of two very different problems in Crypto that are thought to be quite hard. I realize there are issues surrounding coming up with good k's and keeping those k's secret; are these issues at the core of people's objections?

0 comments

11 comments · 2 top-level

davmre12y ago· 6 in thread

Imagine that Keybase is compromised. It starts serving a password-prompt page that looks identical to the previous, but now sends your decrypted key straight to the malicious attacker.

Storing your private key on Keybase allows Keybase to become a single point of failure, which pretty much defeats the whole point of distributed social verification in the first place.

rdl12y ago

And worse -- it only needs to send that special password prompt page to a specific IP or user of interest, and maybe only when it comes from a mac box (if the victim is known to do auditing on a linux box, but uses it as a regular client on mac).

Shipping packaged software with evil inside to ~everyone is risky because at least one user is likely to find a bug (accidentally) and try to trace/reverse/whatever (or, at the very least, if you do networked evil, some kind of IDS/firewalling).

Per-user downloads, especially at time of each use, are vastly more risky; this is the "hushmail attack".

maxtacoOP12y ago

We're definitely worried about the hushmail attack, and we disclaim browser-based crypto on the site for those who want to protect against powerful adversaries. Some users might not have those concerns.

You've obviously indicated valid concerns, but note, they're not indictments of storing an encrypted private key on the server so much as they are of browser crypto.

1 more reply

tlrobinson12y ago

As an aside, the web is an extremely convenient application distribution platform, it seems like a shame we can't securely use it for anything remotely sensitive. Is there a middle ground somewhere? e.x. signed bundles of HTML/CSS/JS?

voltagex_12y ago

If you ever run into a VBScript on an old section of microsoft.com, it's likely to be signed. I think I've seen a Sharepoint Javascript file with a signature block on the end but I wonder if MS had more plans for this.

maxtacoOP12y ago

We agree this is a problem, all of those who try to access their private key during the compromise would be in trouble. Those who stayed offline would be safe.

BTW, this argument does not extend to the CLI or other uncompromised clients. People who sync their private keys across devices with the CLI are unaffected.

peterwwillis12y ago

I'm confused. It sounds like users are able to sync their private keys with the CLI, or with the web interface. It also sounds like if they do it with the web interface, they are at risk, whereas with the CLI they are not at risk.

If my understanding is correct, my question is: What is the reason for this difference in security for the two use cases, and isn't there some way to provide web access without reducing security? What about browser add-ons? Client certificates?

1 more reply

lifeisstillgood12y ago· 3 in thread

As the article pointed out, what if your key (AES_k) is compromised? I mean what is the point of storing `AES_k(p,q) if k is random` unless you keep k somewhere?

What do you use that for?

I like the idea of a common way of proving one owns certain social identities. It is probably worth pointing out that the level of trust we give varies - Google "trusts" I own the domain when I put their random key on my homepage. Its not the kind of trust we would send (a lot of) money using, but its the level you guys seem to be aiming for - its a good level in a fair society.

maxtacoOP12y ago

k is derived from a password in this case, so capture of the password implies capture of k.

We give people the option to store their encrypted secret keys on our server to make it easier to manage their key and sync it across their devices.

lifeisstillgood12y ago

Can I suggest that feature is a distraction from your core offering and a really big negative perception problem.

Almost everyone who will use this for the first x years will be technically savvy - for example having heard of PGP. And as such they will have seen a hundred "secure" sites that try and keep passwords and keys on the server - do not associate yourself with that level of security obfuscation.

Cut some code out of your codebase, keep your marketing message small and tight - and offering to also sync keys across devices is not a tight message.

tveita12y ago

So when you say "if k is 256 random bytes" it's a flat out lie?

e: if k really was 256 random bytes, or bits even, it would mostly be an unnecessary complication. But that's a completely opposite situation from a key derived from a user chosen password.

1 more reply

j / k navigate · click thread line to collapse

0 comments

11 comments · 2 top-level

davmre12y ago· 6 in thread

Imagine that Keybase is compromised. It starts serving a password-prompt page that looks identical to the previous, but now sends your decrypted key straight to the malicious attacker.

Storing your private key on Keybase allows Keybase to become a single point of failure, which pretty much defeats the whole point of distributed social verification in the first place.

rdl12y ago

Per-user downloads, especially at time of each use, are vastly more risky; this is the "hushmail attack".

maxtacoOP12y ago

You've obviously indicated valid concerns, but note, they're not indictments of storing an encrypted private key on the server so much as they are of browser crypto.

1 more reply

tlrobinson12y ago

voltagex_12y ago

maxtacoOP12y ago

We agree this is a problem, all of those who try to access their private key during the compromise would be in trouble. Those who stayed offline would be safe.

BTW, this argument does not extend to the CLI or other uncompromised clients. People who sync their private keys across devices with the CLI are unaffected.

peterwwillis12y ago

1 more reply

lifeisstillgood12y ago· 3 in thread

As the article pointed out, what if your key (AES_k) is compromised? I mean what is the point of storing `AES_k(p,q) if k is random` unless you keep k somewhere?

What do you use that for?

maxtacoOP12y ago

k is derived from a password in this case, so capture of the password implies capture of k.

We give people the option to store their encrypted secret keys on our server to make it easier to manage their key and sync it across their devices.

lifeisstillgood12y ago

Can I suggest that feature is a distraction from your core offering and a really big negative perception problem.

Cut some code out of your codebase, keep your marketing message small and tight - and offering to also sync keys across devices is not a tight message.

tveita12y ago

So when you say "if k is 256 random bytes" it's a flat out lie?

e: if k really was 256 random bytes, or bits even, it would mostly be an unnecessary complication. But that's a completely opposite situation from a key derived from a user chosen password.

1 more reply

j / k navigate · click thread line to collapse