Wrong Type of Encryption Algorithm #1
Comments
marcoonroad
added
enhancement
|
The most known good encryption algorithm is Blowfish, but neither the author recommends it anymore. Instead, he recommends Twofish and forward. Twofish is slower than AES, in which is slower than Blowfish, but I should not care about performance, 'cause the importing and exporting of private keys is not an often operation in the same sense of signing and verification. There's no Twofish implementation for OCaml, only Blowfish. Therefore, I must implement Twofish by hand in OCaml or link C bindings here. |
|
I've changed my mind a bit by now. I'm using the already provided AES encryption in the Nocrypto library. There's no problem in using ECB mode of operation, 'cause our data (the private keys) are quite random, and thus, no pattern is leaked by the deterministic encryption nature of the algorithm. If our encrypted data were sensible and non-random, for instance, this picture of me, the encrypted message (a.k.a cipher text) would leak some patterns, such as my face's traces, and therefore, privacy and confidentiality are broken. In such case, the CTR and CBC modes of operations are recommended. |
|
(It doesn't mean / imply that future plans for Twofish doesn't exist.) |
|
Update: The existing Password-based Key Derivation algorithms are (from the most weak to the most strong):
Such Password-based Key Derivation Algorithms perform intensive tasks to hardening and slow automated brute-force attacks. Another possible solution is to use a deterministic Proof-of-Work (based on the given password) to derive an encryption and decryption key. The user/client could set the difficulty during the encryption/decryption process, so it would take a random but long amount of time to backup and restore private keys, thus rendering brute-force attacks infeasible. |
proof-of-work is used for the hardening of the encryption process. AES-256 bits (32 bytes) is quantum-safe (by now?), but the password as defined by the user/client might be vulnerable to brute-force and dictionary attacks. therefore, the proof-of-work ensures that the derived encryption key from the password plain text takes a long time, thus, slowing down such attacks. it turns the client encryption process really slow, a good approach might be to store such encrypted private keys with a less CPU-expensive difficulty, but whenever the user wants to backup or restore her private keys outside her computer, she must pass through this more CPU-expensive difficulty. a planned / future command line interface may deal with that, for instance, to load encrypted private keys from filesystem, the command-line may take 30-60 seconds by some certain PoW's difficulty, but whenever the user wants to dump or load base-64 versions of the encrypted private keys, 5-6 minutes is a good/secure backup time (really? must re-check that --) Signed-off-by: Marco Aurélio da Silva <[email protected]>
|
Proofs-of-Work are often RAM-memory-friendly, so attacks made by ASICs decrease the hardening embedded as a Key Derivation Function here. I should drop such "hacking" / workaround and look forward the Argon2 password-based key derivation function anyways. |
|
BUMP: There's some folks who don't trust AES. 🙃 |
Nevermind, using AES CBC nevertheless. |
It's quite wrong to use ARC4 / Stream Cipher encryption algorithms here. I really don't remember why I had such idea in the first place. Stream ciphers are only good if the following conditions are meet:
In our current state of affairs, we're doing the opposite of that. Really. And it's really insecure by doing that, so. Really. Our private keys have a fixed-length, first and foremost. We're quite wrong here, and it's annoying for any expert information security engineer to see that. By second, the keys to encrypt and decrypt private keys can be used and reused again, indefinitely, 'cause it's the responsibility of the caller / client of our library to define that. Again, we're quite wrong and this can render the whole Post-Quantum security of this library as flawed even on Classical Machines.
Therefore, I should figure out Block Cipher algorithms to use here instead. By preference, strong ones.
The text was updated successfully, but these errors were encountered: