[Cryptography] Is storing a hash of a private key a security risk?
Phillip Hallam-Baker
phill at hallambaker.com
Tue Apr 12 16:13:38 EDT 2016
On Tue, Apr 12, 2016 at 2:41 PM, Ron Garret <ron at flownet.com> wrote:
>
> On Apr 12, 2016, at 4:13 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>
>> For private keys stored in a secure enclave in an embedded environment,
>> there's some concern that over long periods of time the key components may be
>> subject to bit rot/corruption. One possible solution is to store a truncated
>> hash of the private key components outside the enclave and use that to verify
>> that nothing has changed, by asking the enclave whether the stored key
>> corresponds to the given hash value. Without going into a huge amount of
>> detail on the specific application, it has to be a hash, it can't be a MAC or
>> something similar, and the hash can't be stored inside the enclave because it
>> only stores key components (it's a hardware constraint).
>>
>> This is something that, on the one hand, seems to be not a good idea, but on
>> the other hand I can't see any obvious problem that it would cause (you can
>> use it to find out whether a given key is stored inside the enclave, but you
>> can do that anyway without the hash because you need to identify the key to
>> query the enclave whether the hash matches).
>>
>> Can anyone see any problems with this? Or suggest an alternative approach
>> that doesn't violate the constraints imposed by the hardware?
>
> Why not just sign an empty string and verify that the signature verifies against the public key?
That does not necessarily guarantee a machine in a single stuck fault
state will calculate the wrong result.
More information about the cryptography
mailing list