Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

We don't have your private key, and so we have you write down a passphrase that can derive the key (sha256(passphrase)). In addition, we have a last resort mechanism to help you recover your private key if it ever gets lost. We use shamir's secret sharing to split up the secret key, and send you a share. The pk can only be reconstructed when both shares are combined. We have zero information about your pk.


Why email it to me though? If all you need to essentially recreate the private key is this tidbit you've emailed me (plaintext, available to anyone), plus the (potentially compromised) tidbit on your server... What am I missing? Shamir's secret sharing doesn't help me if you already have access to all the pieces (your email account and a hacked server).


I assume, by "they don't have it", they actually mean "they had it when you input it into their sign-up form, kept it just long enough to put it into an email, and then erased it."


Sha256 is not a suitable key derivation function. Attackers could then crack the keys pretty easily (now the keys are only as secure as the passphrases). Use something like pbkdf2/bcrypt/scrypt.


How so? SHA256, pbkdf2, bcrypt, and scrypt are all deterministic--in all cases, I can get your key if I know your secret (passphrase and salt).

Admittedly, though, using SHA256(passphrase) without a salt to derive a key makes dictionary attacks easier than the others.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: