Open pelinquin opened 4 years ago
gianlucag
commented
4 years ago I fail to understand how that would prove to the user that the random seeds are coming from the device, could you please elaborate a little bit more? Also, the provided random seeds may not be above suspicion of hidden properties, see https://en.wikipedia.org/wiki/Nothing-up-my-sleeve_number
pelinquin
commented
4 years ago In many (centralized) systems, a seed is provided by the server to the user. It is impossible to prove that the server did not keep a copy of this seed, which would defeat any use of signature or user authentication. Of course, the smartphone can deceive the user, but the goal is to reassure the user that a corrupted backend cannot steal his key. The pseudo-random generator is not perfect, even using sensors, but asking the user for a choice improves its randomness.
To reassure the user that the random root comes from his smartphone, wouldn't it be a good idea to propose a list of random numbers at app initialization and ask the user to choose one? This choice would only be asked once. This root key would then be included in the hash of the daily key. This practice would accustom the user to the idea that his phone may contain a private key, which he can use to sign alone.