[Cryptography] Is storing a hash of a private key a security risk?

Nemo nemo at self-evident.org
Tue Apr 12 13:10:29 EDT 2016


> One possible solution is to store a truncated hash of the private key
> components outside the enclave and use that to verify that nothing has
> changed, by asking the enclave whether the stored key corresponds to
> the given hash value.

...

> This is something that, on the one hand, seems to be not a good idea,
> but on the other hand I can't see any obvious problem that it would
> cause (you can use it to find out whether a given key is stored inside
> the enclave, but you can do that anyway without the hash because you
> need to identify the key to query the enclave whether the hash
> matches).

I do not see how this follows. "Identifying" a key can be as simple as
saying "Key #37". That is completely different than knowing the actual
bits of the key.

More relevantly, an attacker who knows the hash can try candidate keys
offline without ever talking to the enclave. This matters if the private
key was produced by a low-entropy process (e.g. derived from a
password). Also he can tell whether two keys are (probably) identical,
which could matter depending on how the keys are used.

That said, crypgotraphic hash functions behave like random functions,
which means you cannot learn anything significant about the input from
the output. You can guess the input, and you can tell when two inputs
were (probably) the same, but that's it. So assuming a strong hash
function and private keys generated with sufficient entropy, there is
nothing wrong with this scheme.

 - Nemo


More information about the cryptography mailing list