1995-01-18 - Re: Key backup (was: How do I know . ..)

Header Data

From: “Dr. D.C. Williams” <dcwill@ee.unr.edu>
To: cypherpunks@toad.com
Message Hash: 283cad858243f2227891d10466d7bdc78c0974b20d0170f15d24abd80642b2f8
Message ID: <199501181754.MAA24686@bb.hks.net>
Reply To: N/A
UTC Datetime: 1995-01-18 17:49:27 UTC
Raw Date: Wed, 18 Jan 95 09:49:27 PST

Raw message

From: "Dr. D.C. Williams" <dcwill@ee.unr.edu>
Date: Wed, 18 Jan 95 09:49:27 PST
To: cypherpunks@toad.com
Subject: Re: Key backup (was: How do I know . ..)
Message-ID: <199501181754.MAA24686@bb.hks.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

'Eric Hughes' was reported to have written:

> You use your friends now because off-site storage facilities are not
> yet available.  The software for distributed remote backup has yet to
> make this operation transparent.

Even when such a system becomes available, I don't think that it will
obviate the need for relatively secure on-site storage. Banks and safe
deposit boxes haven't completely precluded the demand for safes at home.
Many people don't trust banks. Fewer will completely trust cypherbanks
and distributed.net.storage systems.

> I suspect that most private keys in the future will be held in PCMCIA
> cards (initially) and then their smaller replacements.  Backing up a
> private key to these allows use of a safe deposit box.

Safe deposit boxes, by virtue of their accessibility to law enforcement,
are subject to search and seizure under court order and are sealed
in certain cases (probate). This makes them likely to be the first place
to look when the Feds decide that we can't have keys anymore. Personally 
speaking, I'll take my chances with secure "on-site" storage, even if I 
choose a location other than my own home or business. 

>    If it's still "passphrase-protected", an attacker would a) have to know
>    what to look for

> For scalability, most people will use some standard method, whatever
> it is.  This limits the search space of an opponent.

If barcoding is our example, what's to prevent it from being printed
in a format selected by the user? Printing on a small paper/plastic
label and affixng it (in whole or in parts) to other objects effectively
disguises it as a UPC label. You would have to know which labels are
a part of a keyring for them to have any significance. Even George
Bush now knows that every commercial product has a UPC on it somewhere.
Many stores add their own UPC sticker to merchandise for inventory
control purposes. Break a keyring into 4 or 5 pieces (whatever it takes
to make each piece comparable in size and appearance to the standard UPC
label), stick them on selected objects, and let someone who knows what
they're looking for try and reconstruct your keyring from the universe of
combinations of UPC labels found around your home. With an unknown number
of parts, this seems like a practically insurmountable problem. This 
becomes a stego problem as well as a key decryption problem.

With barcoding as the standard, another person prints his key on a small
unmarked card and hides it somewhere deemed to be secure by him. The
UPC-label attack fails because his keyring isn't disguised as UPC product
labels. How does the attacker know what to look for?

True Paranoids could devise some sort of "invisible ink" method,
requiring UV or heat exposure before the barcode becomes visible.
Now your backup key looks like a blank sheet of paper. ;-)

My point is that with a regular barcode-generation program and a laser
printer, an infinite number of formats and combinations can be created
by individual users to suit their needs. You can print an 8.5 x 11 sheet
with the title "PGP secret keyring" and put it in a frame hung on the
wall, or you can print a bunch of split key pseudo-UPC labels and put one 
on the back of the frame to disguise it as the manufacturer's product label.
One method is secure and the other is not, but the specifics are left
to the user because the method is sufficiently flexible to allow a number
of formats. I contend that anyone capable of running PGP properly is
also capable of using a barcode printing program without difficulty
(check out the back of PC Magazine). All that would need to be written
is a short routine to convert the encrypted keyring into a format
suitable as input for a program of this nature. Heck, there's probably
a PD barcode program out there already.

My question to the respected elders of this list is "how or why is
this type of key backup system insecure, if it is in fact insecure?"


=D.C. Williams	<dcwill@ee.unr.edu>

- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBLx1VlyoZzwIn1bdtAQFT5QF+N2RGEpj37fT0iCUnPdnkaUWItbC+HHAj
eFAyBU7fNOnHGwiriHnuEcYaZxBV6lst
=l3PL
-----END PGP SIGNATURE-----





Thread