-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adam Back writes:
I think this argues for the advantages of using symmetric keys for
storage encryption (pgp -c). I used to do this a lot myself. You
don't have the same need to update storage keys. Those files I used
pgp -e to encrypt to myself, I am now stuck with digging them all out
and re-encrypting them or losing them, if I did what I really should:
revoke and burn the key I generated back in 1993.
One problem with pgp -c in older versions of PGP is that all the files
are encrypted with the same session key (assuming all use the same
passphrase). Generally it is better to switch session keys frequently,
which pgp -e does for you (every file uses a different session key).
Of course we believe the ciphers we are using are strong, so it is not
a major security leak, but all else being equal it is good to have the
frequent rekeying.
One suggestion to get around this problem is to use an indirection:
Store the symmetric key used to encrypt stored files: key k1 in
encrypted form -- store the key k1 on the disk encrypted with key k2.
Key k2 is derived from the passphrase, k2 = hash(passphrase). This
allows you to change the passphrase without re-encrypting the files.
E(k2,k1) could go with the secret keyring. (This is what SFS does I
think).
The new PGP conventional ESK (encrypted session key) packet works
something like this. It supports the use of a random session key k1 to
encrypt the data, with k1 then encrypted under a key k2 which is derived
deterministically from the passphrase. However it puts E(k2,k1) at the
front of the file, along with any public ESKs, rather than putting them
into the secret keyring.
I think your idea requires the use of the same k1 everywhere, which again
suffers from the problem of providing lots of ciphertext encrypted under
the same key.
It's not clear how much you gain by being able to change your passphrase
once a month if the files are still encrypted under the same old key.
You're going to increase your chance of forgetting a passphrase but you
don't seem to gain much security.
My CDR proposal is this extension to the above:
Also encrypt recovery information so that your storage key k1 can be
recovered by second parties if you forget the passphrase. So also
within the private key ring you would store: RSA(pk_r, k1), where pk_r
is the public recovery key, for your company, or close friend, lawyer,
etc.
PGP supports a mix of conventional (symmetric) ESK packets and public key
ESK packets (not in the UI yet, though). This will allow messages which
can be decrypted by any of a set of key holders, or anyone who knows
one or more passphrases. This could be used for encryption to a group of
people where some of them don't have public keys for some reason, but you
share a passphrase with them via some out-of-band means.
Hal Finney
hal(_at_)pgp(_dot_)com
hal(_at_)rain(_dot_)org
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNEvU4MDh8jnv1nHwEQLBZACfXUgyKeZKot89qMoS6DdTXO2C96sAoITu
LXztWBrr/9PQ4TPCOgQBege7
=6vEA
-----END PGP SIGNATURE-----