pgpfan:agevspgp
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| pgpfan:agevspgp [2024/06/29 16:30] – [Data Recovery] password store example. better argument b.walzer | pgpfan:agevspgp [2024/08/06 20:53] (current) – [File Substitution] From a HN comment. b.walzer | ||
|---|---|---|---|
| Line 89: | Line 89: | ||
| ====File Substitution==== | ====File Substitution==== | ||
| - | Public key encryption has a generic consideration that is quite relevant here. Anyone with access to the public key can easily create a file that will pass any file modification tests ... because after all //that// file has not been modified after creation. You can try to keep the public key secret but a public key design does not guarantee that the public key can not be derived from the encrypted material. That guarantee only applies to the secret key. So an attacker can skip the bother of attempting to overcome the authentication and just replace the file with whatever they want. | + | Public key encryption has a generic consideration that is quite relevant here. Anyone with access to the public key can easily create a file that will pass any file modification tests ... because after all //that// file has not been modified after creation. So an attacker can skip the bother of attempting to overcome the authentication and just replace the file with whatever they want. |
| The traditional fix for this weakness is to cryptographically sign the file ... and, once again, age does not do signatures. An age user would need to go through the process of finding a separate signing utility and would have to apply it correctly while using a separate signature file. A GnuPG user would only have to add a '' | The traditional fix for this weakness is to cryptographically sign the file ... and, once again, age does not do signatures. An age user would need to go through the process of finding a separate signing utility and would have to apply it correctly while using a separate signature file. A GnuPG user would only have to add a '' | ||
| + | The creator of age has suggested that you can just keep the recipient identity (public key) away from the attacker and prevent them from creating a valid ciphertext to produce a sort of authentication for age(([[https:// | ||
| + | |||
| + | >I am confident the property holds for the X25519 recipients, and that it would hold for a hypothetical Kyber768+X25519 one,... | ||
| + | |||
| + | ... but provided no explicit argument to that effect. ... and then continued: | ||
| + | |||
| + | >...but it's important not to advertise it as an age-wide property. | ||
| + | |||
| + | In practice the recipient identity key will show up on the command line and/or will be kept in an unencrypted file. So age itself treats it as a potentially public value. | ||
| + | |||
| + | If you and the recipient have the ability to share and keep a secret value secret, why use asymmetrical encryption in the first place? Symmetrical encryption is specifically intended to authenticate in that case. Or why not put that secret value in the plaintext as discussed in an article by the creator of age? The reason that there is not more research into the security of secret recipient identities is because there is no practical value in such use. | ||
| =====Conclusion===== | =====Conclusion===== | ||
pgpfan/agevspgp.1719678610.txt.gz · Last modified: 2024/06/29 16:30 by b.walzer