Slashdot Mirror
Privacy With a 4096 Bit RSA Key — Offline, On Paper
HavanaF writes "Online backup is practical, but can it offer any privacy? The Dutch security company Safeberg developed an Offline Private Key Protocol, with an asymmetric key scheme. The protocol demands that the private (decryption) key be stored away from the 'source' computer, which presumably is 'too vulnerable.' The catch is that the private key needs to be fairly large to be secure: a 4,096-bit RSA key should suffice for some years. But how to store an 800-character key offline? Safeberg introduces a machine readable paper key, with the 4k-bit key crammed in a giant 2D Datamatrix barcode. This video on key strength tells the story."
All matrix codes have enough redundancy to allow successful decoding when the image is partially damaged. Some have so much redundancy that you can tear them in half and still recover the contents.
I am becoming gerund, destroyer of verbs.
Datamatrix is the Gif of the barcode world. It has a bunch of patents covering it.
PDF417 does mostly the same thing, can be read with a laser (instead of an imager) and was designed to be open source and patent free from the beginning.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
If you use the standalone computer for anything but storing the key, or fail to physically secure the standalone computer from access (separate to any physical security on any computer on which data resides that is secured with the key) it is obviously more secure to keep the key on paper, physically secured in something that isn't opened except to access the key.
If you don't use the standalone computer for anything else, and have it separately physically secured, then for any reasonable use of the word "computer", it will probably be equally secure, and vastly less expensive to separately secure the key on paper, instead.
Perhaps the more relevant comparison is separately securing paper vs. separately securing long-term electronic storage media. The sheet of paper will probably be cheaper in any case (though the price difference drops if you are using inexpensive electronic storage media rather than a dedicate computer), and will likely be more likely to be practically usable to access data a longer time into the future. Though in this case, a key factor is making sure the paper has the key in a human-readable form as well as a machine-readable form, since long-term availability of tools to read any particular machine-readable format is an issue. If you use text in an OCR-friendly font, the human readable format and the machine readable format can be the same.
Bar codes printed on media of all kinds are generally quite robust and not error prone. The printing device does not need to be special in any way. The reader does not need to be special in any way. Print the key on acid-free paper using a laser printer and store it for a looong time. I'll leave it up to the slashdot tifosi to declare how long it would last in a bank vault.
Some nice ways to encode keys and store it as a symbol on paper here: http://www.adams1.com/stack.html
Symbology is very non-sexy knowledge, but valuable in logistics.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Reading numbers is more error prone. With the bar code, there are presumably lots of check digits and other such loveliness encoded into it.
As for folding it, what happens? Probably nothing. There are usually CRCs (or similar) and lots of other stuff in those 2D bar codes. This particular scheme, Data Matrix, is apparently highly redundant, allowing full recovery of the data even if (up to) 30% of the bar code is destroyed.
http://www.tlashford.com/TLA/pages/Basic_sym/Symbol_overview.htm#DATAMATRIX
http://en.wikipedia.org/wiki/Data_matrix_(computer)
Check out my sci-fi/humor trilogy at PatriotsBooks.
The paper key seems to contain 4x4 x 22x22 = 7744 bits. So can't tear it in half but almost.
Yes, whenever you use a key it becomes more vulnerable. This only adds security to the storage, not the use. It's amazing how many times this kind of thing is forgotten, e.g. when using an ultra-secure USB device on a computer with zero protection. It becomes even more "interesting" when you have to use the key in an automated system - obviously this design is not meant for continuous use :).
There's a book that's 2200 years old. I don't mean the story (or in this case, poem) is 2200 years old, I mean the *piece of paper* (or in this case, papyrus) on which someone copied the (2400 year-old) poem is 2200 years old. In the right conditions, archival quality paper will last a *lot* longer than any electronic medium.
See http://www.mail-archive.com/gnupg-users@gnupg.org/msg10827.html.
The original paperkey software takes out the redundant key material for a smaller amount of data. You can restore the original key by combining the output with the public key.
To encode:
gpg --export-secret-key (thekey) | paperkey --output-type raw | dmtxwrite -e8 -f pdf > my_pdf_file.pdf
You can pass pdf, eps, svg, etc, to the -f option. Use 'dmtxwrite -l' to get a list of all supported image formats.
To decode:
dmtxread -N1 my_pdf_file.pdf | paperkey --pubring ~/.gnupg/pubring.gpg > my_new_secret_key.gpg
$ gpg --export | dmtxwrite --encoding=8 --format=PNG | lp
To be honest, I thought trusted paper keys were already common knowledge among geeks:
http://en.wikipedia.org/wiki/Trusted_paper_key
Problem is, this is an RSA key, it can't just be any random string of bits, it has to be two very large prime numbers. Users won't be chosing a 4096bit key, it will be generated for them.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
i think you're mixing up key length for symmetric ciphers (like AES, 3DES, Blowfish, etc.) which are generally quite short like 128 or 256 bits and key lengths for _asymetric_ cryptosystems which vary much more in length and in the case of RSA are somewhere closer to 2048 and 4096.
The reason is that for symmetric ciphers we _believe_ to be secure the best an attacker can do is brute force the key space. so that means brute forcing 2^128 or 2^256 possible keys. That's a hell of a lot of work. with current technology probably infeasible.
but for asymmetric schemes it's not as straightforward. To get a glimpse of why this is think about RSA keys. The public key is an exponent e and an integer n which is the product of two large primes. Now not every string of 4096 is actually represents such a pair number of numbers. (in particular not every bit-string is the product of two primes). so not every string of that length is a valid key. so brute forcing the key space doesn't mean trying every possible string of that length. just the ones which are the product of two primes which is a fair bit less.
Another reason for comparatively longer keys is this. In generally, for many asymmetric cryptosystems there are various attacks known which are still super-polynomial (i.e. inefficient) but are never the less sub-exponential which is what a brute force key search would be. so you have to adjust your key length to reflect these faster attacks even if brute forcing wouldn't be feasible even for shorter keys. (i think some examples of such attacks for factoring (which would break RSA) are the Pollard-Rho method, varients of Quadratic Sieve algorithm, and the Eleptic Curve method.)
well, one problem is that error from reading 1 digit (or hexit, whatever) is much higher - 4 times, to be precise. if the likelihood of making an error in 1 bit reading the matrix is the same as p of error in one digit, then that works out fine. but i don't think that's the case.
weinersmith
Never underestimate the bandwidth of a truck full of tapes hurling down the highway - Andrew S. Tanenbaum
weinersmith