Hacker News new | past | comments | ask | show | jobs | submit login

> you’ll upload your private key to our servers and you’ll like it!

What's the point of PGP if the e-mail company has the private key? Just security as the e-mail is being sent over the network + signature verification?

Sharing the private key is an odd way to keep secrets.




A friend of mine wanted me to send them encrypted .gpg files due to being remote but not having the files on their person. They found that downloading some of these files from failed to download.

After testing and submitting a bug report, they were told that ProtonMail assumes attachments are encrypted with the user's address keys, and tries to decrypt them (the .gpg extension is stripped when recovering/recreating the original file name).

The biggest surprise was ProtonMail had suggested for my friend to import their private key corresponding to the public key for the attachments as a workaround. My friend did not agree to do this.


Proton doesn't have the private key material, we store private keys encrypted with the user's password (which we also don't know).


So the security is reduced from one of the pretty good PGP algorithms to just the user's password?


That is one of my questions too.

Use a low entropy things (I guess user's password would be not larger than 20 characters nowadays even using password managers) to encrypt a high entropy strings (PGP key).

Looks pretty weird to me.


We derive a (key-encryption-)key from the password using a password hashing function / key derivation function (bcrypt, although we're planning to switch to Argon2) before using it to encrypt the PGP key. This is fairly standard practice, it's what password hashing / key derivation functions are designed for.

The crypto refresh of the OpenPGP standard also has Argon2 built-in, exactly for this purpose, so that you don't have to do it manually. (RFC4880 also has "string-to-key" functions built-in but they are fairly weak so we don't rely solely on them.)

All of that being said, it's still important to choose a strong password or passphrase, of course; if you choose "123" then it's gonna be guessed instantly no matter how strong the hashing function is (well, unless it's so strong that even logging in becomes too expensive...) The main goal of password hashing functions is to tip the balance towards making it too expensive for an attacker to guess your password (as long as it has let's say "medium entropy") while still making it cheap to log in.


Yes; we recommended generating a long random password or passphrase :)




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: