Welome to the Internet, here's your private key

Bill Stewart bill.stewart at pobox.com
Mon Feb 4 13:20:58 EST 2002 

 > From: 	Jaap-Henk Hoepman[SMTP:hoepman at cs.utwente.nl]
 >
 > It's worse: it's even accepted practice among certain security
 > specialists. One of them involved in the development of a CA service
 > once told me that they intended the CA to generate the key pair.
 > After regaining consciousness I asked him why he thought
 > violating one of the main principles of public key
 > cryptography was a good idea. His answer basically ran as follows:
 > if the CA is going to be liable, they want to be sure the key is strong
 > and not compromised. He said that the PC platform of an ordinary user
 > simply wasn't secure/trusted enough to generate keys on.
 > The system might not generate `good enough' randomness,
 > or might have been compromised by a trojan.

If the system is compromised by a trojan, then the user is
already toast, and storing the private key on the machine
is just as dangerous as generating it there.
Giving the user a smartcard to run everything on,
as Peter Trei suggested, is a partial fix, though a sufficiently
targeted trojan may be able to trick the smartcard into
signing or decrypting things that it shouldn't.

Randomness quality could be a genuine issue.  The solution to that
is not to give the user the key - it's to give the user a string
of officially strong random numbers and have them type that in
to the key generator along with waving their mouse and
other randomness generation techniques, and the risks from
compromise if somebody eavesdrops on the transmission of the
random number are much less serious than eavesdropping on the key.

There are special cases where the user's machine doesn't have
the CPU horsepower to generate a key - PCs are fine,
but perhaps Palm Pilots and similar handhelds are too slow
(though a typical slow 33MHz 68000 or Dragonball is faster
than the 8086/80286 MSDOS machines that PGP originally ran on.)
Cash machines may be too slow, but they normally run symmetric crypto.
A smartcard-only system probably _is_ too limited to generate keys,
but that's the only realistic case I see.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list