Lazyweb, crypto question. When storing private keys encrypted with a passphrase, is there a compelling reason to do so in a way that makes it easily testable whether the passphrase was correct?
Conversation
Obviously there's a positive ux reason, so what I'm asking is if there's a compelling argument that the loss of security by doing so is inconsequential.
2
Replying to
Under duress, you can give the wrong passphrase resulting in deriving a different key. BIP39 seed phrases use this for an optional passphrase added to the end of the seed phrase. Trezor (who created BIP39) treat it as an advanced feature since it can result in harmful mistakes.
1
2
The only state that's stored is the seed phrase so if you enter the wrong passphrase, you get a completely different wallet:
wiki.trezor.io/Passphrase
They make sure you back up the seed phrase, so if the device dies or is lost you don't lose funds or other keys (SSH, GPG, etc.).
2
2
Replying to
Yeah, I'm aware there are situations where this property is an advantage. I'm asking about the other direction - whether there are situations where there's a compelling argument that it doesn't matter if the attacker can see if passphrase is right or wrong without testing it.
1
Replying to
If the public key is stored right next to them, then they can easily check if it's correct. It might be a private key by itself where the attacker doesn't know the use case for sure. It could be beneficial if they can't confirm passphrase they were given is valid in that case.
The approach used by Trezor is that you'd use the same stored seed for multiple uses, with your everyday use covered by one passphrase (or none, which is the same as an empty one) and then other uses covered by another passphrase. So the stored seed has multiple valid uses.
1
So you can give the attacker one or more valid passphrases they can confirm are valid while still having ones you didn't tell them. Could be relevant to a use case like SSH. Could have some server not tied to you that they compromised so they have pubkey but can't prove it's you.
1