20

I know this sounds like a dumb question, but whats wrong with it? Assuming that all private data is encrypted (by the client) using PBE AES256, then is this scheme more vulerable than storing keys on your local computer?

Pros:

  • all of your devices (smartphone, laptop, camera?) have access to the same keys without having to copy them everywhere and protect multiple devices
  • assuming the key server is hosted by someone who knows security, the data should be more secure than your smartphone or laptop

Cons:

  • a single successful attack could take down millions of (encrypted) keys in one go (remote attack, malicious employee, etc)

My understanding of the current situation is that you keep your private keys encrypted on your local computer protected by a passphrase (*.JKS, *.BKS, secring.gpg, etc). An attacker could write a trojan that uploads all of your private key files to a server under his control. This has recently started happening with BitCoin wallet files, so it's plausible it could happen with key stores. That would net the attacker many key stores in one go, the same as a successful attack on a key server, and, as far as I can tell, for approximately the same complexity. Also, current key store files aren't providing any more protection from an attacker than AES256 would, since they all revolve around the user's passphrase.

It appears to me that the real weakpoint here is the user's passphrase and not necessarily where the keys are stored. Am I wrong? I know this isn't the ideal situation, but I'm comparing it to the current situation.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
senecaso
  • 782
  • 6
  • 14

2 Answers2

14

Anything which is encrypted with PBE (as in "Password Based Encryption") can be the subject of an offline dictionary attack (i.e.: the attacker tries potential passwords). This is a worry unless you have a super-strong password, which is not as easy as it can seem because you also have to remember it, and to type it regularly (if you note it down somewhere, it is not really super-strong). Shortcomings of not-so-strong passwords can be somewhat mitigated by using heavyweight Key Derivation Functions such as bcrypt.

"Strong enough" means "having an entropy of 128 bits or more" which means "the password generation scheme you used may have generated at least 2128 other distinct passwords" -- so we are not talking about 8 or 10 characters, rather 20 completely random characters, or a list of 10 randomly chosen "common words". Speaking of which, it is meaningless to insist on AES-256 in that situation: AES-128 will be already fine (i.e. the weakness will be the password, not the AES).

If you have a strong enough password, you can store in the cloud whatever confidential data you wish, encrypted relatively with this password, including private keys. You still have to trust the cloud manager for not losing your files, but, on average, data is safer in the cloud than in the entrails of an expensive mobile phone that you brandish when walking in the street (remember, mobile phones are stolen even more often than cars). Unless the cloud manager has a grudge against you, of course.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Good point about AES128. Thanks for pointing that out. I agree with you completely, but how many existing key stores are protected with passwords fitting your description? My guess is near 0. So wouldnt that mean that storing in the cloud is no more vulnerable than the current situation? As for trust, you have to trust everyone that uses your computer/phone to not be malicious, so its probably no different than trusting your cloud manager. In fact, it might just be safer to assume your keys have been stored publicly so that you know your are ultimately relying on your password. – senecaso Oct 17 '11 at 04:38
  • 2
    @senecaso That assumes that you trust your cloud provider. A secure model requires that you assume the cloud provider is potentially malicious. If it's malicious, they have offline access to the passwords. All in all it's a bad idea to assume something is going to be secure, such as assuming you'll never have an insecure password. – Steve Oct 17 '11 at 18:51
  • @SteveS, do you mean to say "they have offline access to the encrypted data"? If not, I think you are assuming the authentication password is the same as the encryption password, which may not be true. Even if it was, it could be mitigated by the client hashing the password before sending it to the server and the server storing a secure hash of that. You indicate I should assume the cloud manager is malicious, but I am. I said "it might just be safer to assume your keys have been stored publicly so that you know you're are ultimately relying on your password". Am I missing something? – senecaso Oct 18 '11 at 00:31
  • @senecaso I guess I'm reading your comment wrong. Are you saying that you expect the same level of maliciousness from users of your computer as from the hosters of the cloud? – Steve Oct 18 '11 at 15:52
  • You may be reading it right :) I'm saying I think the cost for an attacker to get your key store from the cloud or from your computer is roughly equivalent, so ultimately its just the user's password that is protecting the private keys meaning its probably ok to store them in the cloud. I guess I'm not saying your computer's users are as malicious as your cloud manager may be, but the attacker could infect your machine with malware (remotely) or use physical access or social engineering to get copies of your key stores. – senecaso Oct 18 '11 at 22:15
7

It all comes down to trust, in the end. If, as @Thomas says, you encrypt things heavily enough you are removing the need to trust the cloud provider, however if you are trusting the cloud provider to encrypt the data securely for you I'd be much more worried. Not because I don't think they can, but because there are so many layers where implementation could fail. An attacker can try to break all of these - and may gain access to your keys and data while actually targeting something else hosted by that cloud provider - so your likelihood of being compromised increases.

If I store my private keys on a device only I have access to, I can control the level of risk (by taking precautions) but also am a much smaller target, as very few attackers would want to come after me.

In the end this isn't really a technical question, it's much more a risk and trust question. Do you trust the implementation in the cloud to protect you despite the raised risk profile?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320