Key Pass File

Narayan
2013-10-31
2013-12-27
  • Narayan
    Narayan
    2013-10-31

    Hi
    I am very confused about the documentation and the security in the usage of the composite password key, esp the key file.

    Your documentation states:
    ====Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where you know something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret
    ======

    1) What is meant by "the location of the key file need not be a secret, rather the data contained in the key file should be a secret". I don't understand. If an intruder gets hold of the key file by examining the access times of the file (for e.g.), how does he care about the contents as long as it lets him log into my account???? It seems the location of the file (and hence its contents) must be kept a secret. Please explain why not?

    2) I have created a composite key (master password and key file combo) for my account. The problem I see is, when I log in, the key file is already checked and the correct key file already appears in the login window. This is not desirable. The user must be required to enter the key file name and the master password at login. If not, the problem I see is you are already giving away half the solution of the composite key to an intruder who gets hold of my machine. Please advise.

     
  • wellread1
    wellread1
    2013-10-31

    It seems the location of the file (and hence its contents) must be kept a secret.

    The key file needs to be inaccessible to an intruder, not in a secret location that is discoverable. A simple analogy is that of a house key. Everyone knows that your house key is in your pocket, but it is inaccessible to an potential intruder in that location. However, if you hide the key under the flower pot in the garden an intruder could find it.

    A key file is a special purpose component of a Master Key. It is useful only if you are prepared to keep it in a location that is not accessible to an intruder (e.g. on a USB key in your pocket). Otherwise a strong Master Password is sufficient.

     
    • Narayan
      Narayan
      2013-12-27

      Wellread1, very nicely put especially the house key analogy. Thank you so much for that explanation.