Key distancing #382
-
|
@FiloSottile I recall you mentioning somewhere that key distancing (of SSH keys as done by Age) might not be all that useful. Is this because it can be circumvented, or because there is otherwise no need for distancing? Perhaps you can clarify what you have learned on that since the specification was written, or did I read too much between the lines of some comment where this came up... |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
I gather that since deriving the tweak only depends on the SSH public key, someone who knows the pk can easily reverse the distancing and recover from the tweaked keys the corresponding SSH keys (except for sign and the reversal of SHA-512 but with a custom client the hashed scalar could be used to login over SSH). According to documentation this distancing is supposed to provide additional security on signing and encrypting using the same key. This apparently is not needed (as per links in the documentation) and if implemented as defence in depth, it is unknown whether that would be effective. It would seem that libsodium and others who provide such key conversions do not mention or implement any distancing like this. |
Beta Was this translation helpful? Give feedback.
-
|
Quite some time later, but yes you are correct: this measure is both unnecessary and not effective. We'll keep it for backwards compatibility until the next opportunity to toss it. |
Beta Was this translation helpful? Give feedback.
I gather that since deriving the tweak only depends on the SSH public key, someone who knows the pk can easily reverse the distancing and recover from the tweaked keys the corresponding SSH keys (except for sign and the reversal of SHA-512 but with a custom client the hashed scalar could be used to login over SSH).
According to documentation this distancing is supposed to provide additional security on signing and encrypting using the same key. This apparently is not needed (as per links in the documentation) and if implemented as defence in depth, it is unknown whether that would be effective. It would seem that libsodium and others who provide such key conversions do not mention or impl…