[Cryptography] Is storing a hash of a private key a security risk?
Peter Fairbrother
peter at m-o-o-t.org
Tue Apr 12 13:29:28 EDT 2016
On 12/04/16 12:13, Peter Gutmann wrote:
> For private keys stored in a secure enclave in an embedded environment,
> there's some concern that over long periods of time the key components may be
> subject to bit rot/corruption. One possible solution is to store a truncated
> hash of the private key components outside the enclave and use that to verify
> that nothing has changed, by asking the enclave whether the stored key
> corresponds to the given hash value. Without going into a huge amount of
> detail on the specific application, it has to be a hash, it can't be a MAC or
> something similar, and the hash can't be stored inside the enclave because it
> only stores key components (it's a hardware constraint).
>
> This is something that, on the one hand, seems to be not a good idea, but on
> the other hand I can't see any obvious problem that it would cause (you can
> use it to find out whether a given key is stored inside the enclave, but you
> can do that anyway without the hash because you need to identify the key to
> query the enclave whether the hash matches).
>
> Can anyone see any problems with this? Or suggest an alternative approach
> that doesn't violate the constraints imposed by the hardware?
>
> Peter.
I suppose you could use it test guesses of keys, but that doesn't help
an attacker much.
If the hash was serious1y broken (and aren't they all??) though, then
maybe you could use it to test swathes of guesses (all of which had the
same hash value) at once, which might help an attacker.
Also, with the hash value stored outside the secure enclave, the hash
value is then presumably public, or should be considered so.
Then an attacker doesn't need to use the secure enclave itself to do the
tests, he can do them offline, so to speak.
Of course an attacker can test guesses by trying the guess in the
ordinary way, but maybe testing hash values is quicker - probably so,
especially if the hash might at some point be broken as to give some
data about possible and impossible preimages, it would give some data
about the keys.
-- Peter Fairbrother
More information about the cryptography
mailing list