Writing up a blog post on Keyczar

[Will Sargent]

Let me know if there's anything I should add:

https://hackpad.com/Effective-Cryptography-in-the-JVM-tfZ7G3hUn8i#:h=Operation-Classes

Will.

[Daniel Bleichenbacher]

On Mon, Oct 5, 2015 at 7:13 AM, Will Sargent <will.s...@gmail.com> wrote:

Let me know if there's anything I should add:

Let's just start with the open questions:

(1) Why are RSA keys specified as either as encrypt/decrypt or as sign/verify?

A design principle in crypto is: "One purpose per key".

The main motivation for this is that if a key is used for multiple distinct cryptographic operation

this can easily threaten the security of the key even if each operation by itself is secure.

It actually seems that keyczar isn't going far enough. In principle if an HMAC key is used for

example for MACs with timestamp, then it would make sense that this key is only used for 

such MACs and it would make sense that the library has means to enforce this.

(2) Why such a complicated system for adding and removing keys? 

Mainly the same as above. You don't just want to create a raw RSA key, but you also want to

specify for which purpose the the key has been created. Hence creating keysets in two steps

makes sense.

(3) Why all the metadata?

If a key is used for a specific purpose then the key storage should of course describe that

purpose and that requires obviously more data than just the raw key. In particular, I think

that keyczar suffers from not having enough data, not defining keys and purpose  well enough 

and is in some cases not well designed.

E.g. storing key type and purpose on the same level makes it impossible to change the

key type in a key set.

 

https://hackpad.com/Effective-Cryptography-in-the-JVM-tfZ7G3hUn8i#:h=Operation-Classes

Will.

--
You received this message because you are subscribed to the Google Groups "Keyczar Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keyczar-discu...@googlegroups.com.
To post to this group, send email to keyczar...@googlegroups.com.
Visit this group at http://groups.google.com/group/keyczar-discuss.
For more options, visit https://groups.google.com/d/optout.

[Will Sargent]

Thanks!

Updated and posted: https://tersesystems.com/2015/10/05/effective-cryptography-in-the-jvm/

[Will Sargent]

In the wake of the SHA-1 attack written up by Ars http://arstechnica.com/security/2015/10/sha1-crypto-algorithm-securing-internet-could-break-by-years-end/

I've updated the limitations section, but please let me know if I missed anything as I Am Not A Cryptographer:

"First, the big one. Keyczar generates RSA and DSA keys using SHA-1. This is a problem if you plan on using asymmetric signing (digital signatures) with Keyczar. According to SP 800-131A “SHA-1 shall not be used for digital signature generation after December 31, 2013.” This has been a  bug since 2008, but has not been corrected. Arstechnica reports that a prestart collision (a tailored case where the initialization vectors are preselected) against SHA-1 was successful, and it’s expected that a SHA-1 collision would cost around $75,000 to $120,000 and several months right now… expensive for most people, but pocket change for a determined adversary.

That being said, it doesn’t mean SHA-1 itself is “broken”. There are three different things that can involve SHA-1:

SHA-1 is a cryptographic hash: it provides integrity.

HMAC-SHA1 is a hash based message authentication code: it provides integrity and authentication.

RSASSA-PSS is a digital signature: it provides integrity, authentication and non-repudiation.

A preimage attack (given a hash, find something that makes that hash) would break integrity. A second-preimage attack (given a message, find a different message with the same hash) would break authenticity. A collision attack would break non-repudiation. So, this attack would ONLY break asymmetric signing. There are references to truncated SHA-1 hashes throughout the documentation — these are integrity checks, so they’re fine. That being said… it’s not great.

Keyczar, when using symmetric signing, will only generate HMAC-SHA1, and specifying size=256 will not magically turn it into a SHA256 hash. See above."

I'm unsure of the digital signature mechanism used: I assume it's RSASSA-PSS / RFC 3560.

Any word on https://github.com/google/keyczar/issues/17 ?

Will.

[Shawn Willden]

I'd say "Keyzcar generates RSA and DSA signatures using SHA-1". SHA-1 isn't used in key generation.

[Will Sargent]

Good point.  Will fix.

You received this message because you are subscribed to a topic in the Google Groups "Keyczar Discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keyczar-discuss/MQCE1eV22uU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keyczar-discu...@googlegroups.com.