On 04/06/2012 10:55 AM, Greg Stein wrote:
>> In other words, changing the master passphrase only requires decrypting
>> and re-encrypting one 256-bit encryption key, not the whole credentials
>> store.
> PKBDF2 is in the current design to make dict attacks computationally
> "impossible". Assuming we keep that, then the above value would be fed
> in as the secret to PKBDF2, rather than MP or sha1(MP) ?
If I understand you correctly, that wouldn't make sense. PBKDF2 is
designed to provide some resistance against offline dictionary attacks
against a weak secret, at the cost of computational power for legitimate
users. If you have a strong secret, there's no point in running it
through PBKDF2.
Under the suggested architecture, you'd use PBKDF2(MP) to decrypt the
master key, and then use the master key to decrypt the individual passwords.
I also want to caution that PBKDF2 does not provide strong protection
against offline dictionary attacks. Most cryptographic methods provide
exponential protection--I do a little bit more work to make you do twice
as much work. PBKDF2 provides only linear protection--I do twice as
much work to make you do twice as much work. It does not make
dictionary attacks "impossible" in the same sense that AES-128 makes
decryption without knowing the key "impossible".
If a system can be designed to prevent offline dictionary attacks
entirely, that's much better. But for this application, that's probably
impossible, since it's easy to distinguish a valid result (a password,
which will be printable ASCII) from garbage.
Received on 2012-04-06 17:10:15 CEST