[Cryptography] Cost of creating huge theft targets [Was: Cost of remembering a password]

Jerry Leichter leichter at lrw.com
Tue Aug 19 21:38:38 EDT 2014 

On Aug 18, 2014, at 3:24 PM, Bear <bear at sonic.net> wrote:
>> Actually, recent versions of Safari do that.  When they recognize a
>> password field on a page that they don't have a password stored for,
>> they generate one and offer to save it for you.  If you share your
>> keychains through iCloud, the generated passwords become accessible on
>> all your Apple devices.  Doesn't help with non-Apple devices, though.
> 
> This.  This is exactly why I will never, ever, use this feature.
> 
> In order for this password to 'sync' across other devices, it 
> has to be stored, in clear or with cleartext recoverable, 
> nonlocally at the site of a trusted service where it is part of
> an aggregated theft target having massively greater value than 
> my password alone....
Interestingly, Apple has addressed this issue in a white paper (http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf).  They claim they don't store anything that they could decrypt.

In the case of transfers between already-registered devices, it's not hard to see how to do this.  Each registering device generates a public/private key pair and sends the public key to Apple, which in turn sends it to each other registered device.  A device that uploads passwords encrypts them with a key-encryption-key, then delivers the encrypted data, plus the key encryption key encrypted with each of the public keys, to Apple, which in turn pushes it out to all the other devices.  Each device can decrypt because it has its own private key, but Apple can't as all it has is a bunch of public keys, and no private keys.

The hard part occurs when you get a new device and want to register it for the first time.  This uses your password - there's nothing else that can bind a new device to you.  I don't recall how it does things from here.  Perhaps is as simple as deriving the key encryption key from the password.

I'm not saying Apple does everything right.  I doubt it.  What I'm saying is that it's *possible* to have such a system without creating a significant vulnerability in the central distribution point.  *Some* vulnerability, sure.  But it's by no means clear that the vulnerability is in any significant way different from the vulnerability of storing your passwords anywhere else.  Keeping the stuff on your own machine - perhaps one in your pocket - is adding one kind of physical security to the security the crypto gives you.  Against most attackers, it's much easier to steal your phone or a server in your basement than to get into some major corporation's secure data center.  The relative difficulty may go the other way for a government agency, and if that's your biggest concern, keeping the stuff entirely in your head is your only realistic approach.  For most people, the end result of that is heavy reuse of a couple of passwords, since very few of us can remember more than that.

                                                        -- Jerry

More information about the cryptography mailing list