[Cryptography] Security weakness in iCloud keychain

Ralf Senderek crypto at senderek.ie
Mon May 7 14:23:06 EDT 2018


On Mon, 7 May 2018, Bill Frantz wrote:

> I'm reading the comments about the evils of storing passwords with 
> somewhat rye amusement.
> [...]
>
> (1) Signed challange with public key crypto, user certs, or other 
> similar trickery. The secret key probably needs to be stored in
> the computer because very very few people could remember
> it, or even copy it correctly from a piece of paper into the computer.

Seriously, nobody expects a user to enter a (RSA) secret key into the 
computer to use it. What can be expected though is that the user enters a
sufficiently complicated passphrase which will be used to AES-encrypt
the secret key, and that this secret is NOT stored in the computer but
only in her brain. In additon it can be expected that without entering
this passphrase the secret key cannot be used.
To assume that critical comments require absurd procedures is - well - not 
helpful.

      --ralf


More information about the cryptography mailing list