bilal4hmed

can someone explain this ....on initial reading it seems this is for backup of messages but I have a feeling this is more than that

ignoramous
From what I understand: The blog answers, how does one store a secret without it being subject to brute force (and other offline) attacks [0], with:

Generation of the secret (on the client):

1. Generate sk: Key-stretch user-provided pass-phrase to 256 bits using Argon2 [1].

2. Generate a verifiable auth-token, token = hmac-sha256(sk, "auth key encrpytion") [2]

3. Generate a split secret-key:

3a. split1 = hmac-sha256(sk, "master key encryption")

3b. split2 = high-entropy-random-256-bits

4. Send key-pair (token, split2) to remote machines running BOLTed [3] server code in a SGX enclave [4] that replicate it using raft-consensus protocol [5] over Noise [6] in an hardware-encrypted RAM [7] and never on-disk.

5. Generate master-key = hmac-sha256(split1, split2)

6. Generate as many application-keys as required, and use these to encrypt user's data, for instance, app-key-sge = hmac-sha256(master_key, "social graph encryption") and so on...

-

Recovery of the secret (by the client):

1. On the client, using user-provided pass-phrase, generate sk, token, and split1, like above.

2. Send the token to a remote machine. If the token is valid, remote lets the client retrieve split2 [8] with which the client can now generate the master-key and app-keys, as before.

3. If the token sent is invalid, remote lets the client retry a very limited number of times before destroying the secret key-pair.

---

[0] From the post, ...we’ve been working on new techniques based on secure enclaves and key splitting that are designed to enhance and expand general capabilities for private cloud storage. Our aim is to unlock new possibilities and new functionality within Signal which require cross-platform long-term durable state, while verifiably keeping this state inaccessible to everyone but the user who created it.

[1] https://en.wikipedia.org/wiki/Argon2 (end-users prefer shorter passwords but one gets better entropy with longer passwords... which is what Argon2 brings to the table)

[2] https://en.wikipedia.org/wiki/HMAC

[3] https://github.com/facebookincubator/BOLT (prevents speculative execution exploits: https://en.wikipedia.org/wiki/Speculative_execution)

[4] https://blog.quarkslab.com/overview-of-intel-sgx-part-1-sgx-... (used for strict code and hardware attestation)

[5] https://www.youtube-nocookie.com/embed/YbZ3zDzDnrw

[6] http://www.noiseprotocol.org/ (Wireguard and WhatsApp use it, too, for end-to-end communication)

[7] https://eprint.iacr.org/2016/204.pdf

[8] Thanks u/jlund: https://news.ycombinator.com/item?id=21839394