Closed MuhammedZakir closed 9 years ago
the password is not encrypted, the pgp key is. The password is one part in the process of generating different secrets for the en-/decryption. The Algorithm used is a development named TripleSec which in fact is three different ciphers on top of each other (AES, Twofish and Salsa20). If you are interested in further details I strongly recommend reading its documentation to understand the why and how.
@dtiersch Thanks! It was a typo. I will read about it!
Is it done client-side or on the webserver?
They do it client-side. That's why they wrote kbpgp - an implemenation of PGP in JavaScript, so that they can do everything on the client and the server never needs to see anything unencrypted. I would have gladly linked a source, but I couldn't find it again with a quick search.
@dtiersch pretty much summed it up.
Code for KBPGP: https://github.com/keybase/kbpgp Code for TripleSec: https://github.com/keybase/triplesec/
If you choose to store your encrypted private key on Keybase's servers, it is encrypted with your passphrase, using triplesec. Triplesec does extensive passphrase stretching, to make brute force/dictionary attacks very expensive, and it uses all 3 of those ciphers for fear that someday one of them will be weakened/broken.
I think ti's also worth noting that, since your key is encrypted with your passphrase, Keybase never gets to know your passphrase. For this reason, the login model on Keybase doesn't follow the traditional pack it up and send it over https. Instead, logging in uses these 2 calls:
https://keybase.io/docs/api/1.0/call/getsalt https://keybase.io/docs/api/1.0/call/login
which is how you prove you know your passphrase without ever sending it to Keybase.
As a last point, you're making 2 big decisions when storing your private key on Keybase:
I assume I've answered everything but feel free to reopen if not.
Hello,
How is decryption of PGP password done? I currently don't like to store encrpyted private key online. After thinking about it, it would be helpful when traveling to use with secure connection. Before doing it, I would like to know how decryption is done. Thanks in advance!
Kindly, Muhammed Zakir