Question about PGP convenience methods #404
Comments
|
For key generation, I didn't seed either of the 2 places where I use the https://github.com/jstedfast/MimeKit/blob/master/MimeKit/Cryptography/OpenPgpContext.cs#L1040 and https://github.com/jstedfast/MimeKit/blob/master/MimeKit/Cryptography/OpenPgpContext.cs#L1070 but I could... actually, I should probably re-use the same Ideally, I'd say that BC's default SecureRandom should be good enough, but this reminded me of an email by Edward Ned Harvey on the BouncyCastle mailing list that I read a while back (posted here since it's easier than linking to the mail thread):
The website now seems to be a blank page, but the github repo for tinhatrandom is https://github.com/Vanaheimr/tinhat/tree/master/tinhat Looking at more recent code, it seems to seed itself using a counter value and 32 bytes of data from RNGCryptoServiceProvider that then gets hashed using SHA256. I honestly don't know if that is secure enough, though. If not, perhaps I can add an optional SecureRandom argument to the current CreateKeyPair() method. As far as the AutoKeyRetrieve thing, you just need to set the URL of a KeyServer on the OpenPgpContext. By default, the AutoKeyRetrieve and KeyServer options are populated using the user's gpg.conf file. For example, I have: In code, it would just be something like: ctx.KeyServer = new Uri ("hkp://keys.gnupg.net");
ctx.AutoKeyRetrieve = true; |
|
Oh, one minor flaw in the AutoKeyRetrieve is that GnuPG supports some new key algorithms that BouncyCastle does not (yet?) support such as some elliptic curve algorithms. So the auto-key-retrieve logic is unable to import those because the pgp parser in BC throws an exception (my code catches it, but it obviously will fail to import). |
|
Regarding suggestions about how to seed, you might want to have a look at my code. I've just cleaned it up significantly, and among other things I am using And here ... (Same file) The idea, is that every places I need a SecureRandom I invoke the Active Event called ".p5.crypto.rng.secure-random.get", and then internally I store it as a static field. According to StackOverflow.com, some guy had looked at its source code, and claimed it was thread safe ... The way I seed it, is by (among other things) allow the user to manually type a seed during installation of the server (which obviously is not something you could do in your code). Then when I instantiate a So even if the usage of the seed internally in BC is not "optimal", and parts of the seed is "compromised", allowing an adversary to know say the first 70% of your seed, and such "predict" its result - This has little effect, since every time I seed the SecureRandom, I always has the entire seed with SHA512. A lot of these things are probably not even possible to implement from your point of view, but at least maybe allow the caller to supply his own SecureRandom instance, with a default value of null, and if none is given, simply create your own SecureRandom - At which at least for me the case would be solved ... The only place I currently use SecureRandom anyway, is when I create PGP keys. However, it might be that BC is internally using SecureRandom as it encrypts its PGP entities. Which might be an issue, since as far as I know, only the "session key" is actually asynchronously encrypted with RSA, and the "session key" is actually an AES password or something. Hence, if the SecureRandom is not giving unpredictable results, even if an adversary couldn't hack the actual RSA parts, he could possibly "predict" the session key (synchronous password), and such hack the content of the message, without hacking the PGP key ... Sorry for bringing you into the "paranoia" forest here a little bit, but I'm going through my own code, looking for all sorts of potential holes, and since I am relying upon your code, well ... :) About your KeyServer thing - Pure 100% beauty!! :D |
I have (finally) set aside time to refactor my usage of MimeKit in Phosphorus Five, which was long overdue may I add, and I started looking at some of your Open PGP convenience methods - And all I've got to say is wow! It's almost an entirely new library. Gr8 work! :)
However, I have some questions. First of all, obviously I want to use as many of your convenience methods as possible. I do however have this "super paranoid" implementation of creation of PGP keys, where I allow for manually salting the SecureRandom thing, in addition to providing other overrides, such as expiration date, bit strength, etc. How much work have you put into this method? Obviously, the nightmare scenario would be some adversary being able to predict the RNG ...?
Hence, I am reluctant to using this specific method, without knowing what it actually does, and how secure it is ...
Another method I saw, where my jaw simply dropped, was the "AutoImportFromKeyServer" thing. Wow!! I've been fiddling with this myself, and I realise just how much work doing that is. How do I use it though ...?
Do you have some sample code laying around for providing a key server, etc ...?
It really feels almost like an entirely new library though, as I started browsing through your methods. Thx a billion times Jeffrey :)
The text was updated successfully, but these errors were encountered: