6

With Thunderbird 78, a new PGP subsystem has been introduced which handles PGP keys internally. In previous versions, the add-on Enigmail has handled PGP-related stuff, by letting do GnuPG the work behind the scenes.

I currently know only that the private PGP keys in Thunderbird 78 and later versions are protected by the master password. Now I am interested in the details: Where does Thunderbird 78 (or preferably, 91) store the private PGP keys, and how exactly are they encrypted there (algorithm, bit size etc.)?

When doing my own research, I came across many similar questions, e.g. this one, but they all related to Firefox (which would be OK, because TB is based on Firefox), and they all related to saved logins (passwords) for websites (which Firefox stores in logins.json in the profile folder), not to saved PGP private keys (which don't have to do anything with Firefox anyway).

By looking into logins.json in my Thunderbird profile folder, I could confirm that the private PGP keys are not stored there; that file contains only the passwords and user names for the IMAP accounts. Therefore, the many articles about Firefox and the encryption of passwords in logins.json don't help answer my question; I couldn't find references related to Thunderbird.

Update, 2021-09-12

Thunderbird 78+ stores the private and public keys in the profile directory in the files secring.pgp and pubring.pgp, respectively. So one of my questions is answered.

However, I still haven't found the answer to the other, more important question: How exactly are the private keys protected in secring.pgp?

Binarus
  • 557
  • 5
  • 16
  • You may also be interested by Thunderbird's generated passphrase https://security.stackexchange.com/a/255173/8965 – Jill-Jênn Vie Sep 25 '21 at 06:04
  • Thank you very much for the hint, much appreciated. However, I had already found that answer, but now it's 8 years later, and NSS nowadays uses AES to encrypt the master key (AFAIK). – Binarus Sep 27 '21 at 15:38

1 Answers1

2

Keys in secring.gpg are encrypted using the symmetric key, derived from some password. Key derivation function is called S2K and is described in RFC 4880. Basically, it iteratively hashes the password plus some random salt.

To get the details about exact algorithms and iterations, you may run gpg --list-packets ~/Library/Thunderbird/Profiles/zzzzzz.default-release/secring.gpg (or rnp --list-packets ..., if you have one installed).

For my secring it reports AES-256, SHA-256, and 35651584 iterations which looks quite enough for the secret key protection: for a single password try implementation must hash ~35MB of data, and then try a decryption. Googling the modern hashing speed return 2-3GB/sec for SHA256, so it would give around 80 password attempts per second.

Update: edited answer to clarify OpenPGP S2K iterations count: it is actually number of bytes hashed, not the number of times hash is applied to password/salt.

Nickolay Olshevsky
  • 186
  • 5
  • Thanks for making me realize that I can work on TB's `secring.pgp` by using GnuPG directly that way, accepted and +1; please excuse the delay. However, I am still asking myself what actually is used as passphrase for the PGP key. It could be the master password (which you type when TB starts), but more likely, it is the symmetric key in `key4.db`. The latter means that the PGP keys are only as safe as the key in `key4.db`, so the next thing to research is how safely that key is protected. I believe I have read something about it a few months ago, but that was with respect to Firefox ... – Binarus Nov 18 '21 at 14:09
  • This is a major security hole IMHO, and a major deviation from the old Enigmail behavior. With Enigmail the PGP passphrase was cached for a few minutes but then discarded. Next time you wanted to PGP-sign and email you'd have to re-enter the passphrase. Now, the passphrase is stored permanently and anyone with physical access to your system can impersonate you and send PGP-signed emails in your name. Even the "master password", if you have one, is required only once, when starting Thunderbird. See [this bug](https://bugzilla.mozilla.org/show_bug.cgi?id=1679455) - closed WONTFIX. – Jim Garrison Sep 16 '22 at 20:23
  • There is another bug instead ("Thunderbird: Support a separate, user defined OpenPGP passphrase, and the ability to relock secret keys after use"): https://bugzilla.mozilla.org/show_bug.cgi?id=1679278 – Nickolay Olshevsky Sep 17 '22 at 12:00