![]() ![]() ![]() This feature should be used with care (See below). This happens to be the Gnome keyring on Debian-based systems, and the password manager on Microsoft Windows. When using auto-login, RetroShare stores the un-encrypted SSL passphrase in the system’s password manager. The unencrypted SSL passphrase and encrypted SSL certificate are both used to initialize the SSL session. When logging in, RetroShare therefore asks the PGP passphrase in order to decrypt this file using the private PGP key. The SSL passphrase is encrypted using the owner’s PGP key, and stored in the file keys/ssl_passphrase.pgp. It is reasonably robust against brute-force attacks. It is currently a 64 character string, with an entropy of 418 bits. The SSL passphrase is chosen randomly when creating your location. Login mechanismĪt login, RetroShare reads the encrypted SSL certificate for your location, and the encryption passphrase from the hard disk. Although it is therein protected, it can be brute-forced, especially if your passphrase is weak, so it’s recommended to keep identity files safe. The private PGP key is in this case kept encrypted, with your usual password. Identities can be exported/imported (From the Friends->profile->profile manager), in the form of a PGP key pair in ascii format. In the near future (Version 0.6), only the new format will be used to export certificates. The later has definite advantages in terms of robustness, ease of parsing and cleaning. SSL certificate’s hash) and name Ĭertificates are encoded in radi圆4 in two different formats: The old format, with text tags like –SSLID– The new format: a single radi圆4 with internal sub-blocks. your identity), and optionally the friend’s signatures Your Retroshare certificate contain the following information: Retroshare is currently not using the full potential of the web of trust mechanism, and we would like to develop it further in the future. A new identity being signed by some of your friends should be understood as being approved by your friends, and should garner a higher level of confidence with you. This is permitted by Retroshare in order to provide a Web-of-Trust mechanism to the network. Signing your friend’s PGP key is not mandatory for connecting (Don’t mix that up with signing SSL certificates, which *is* mandatory). hand-to-hand), SSL connections cannot be spied on using a so called man-in-the-middle attack. If PGP keys (and therefore Retroshare certificates) are exchanged safely (e.g. In this callback, Retroshare verifies the PGP signature of the SSL certificate, using the PGP public key of the friend. ![]() When connecting to a friend, the SSL handshake protocol allows a callback that is used to validate the certificate sent by the connecting peer. it must be RSA for encryption and signing.It however requires the following characteristics in the key: 4096 bits keys instead of 2048 bits), and also offers users to create a new PGP keypair if they haven’t got one. Retroshare accepts existing PGP keys for creating identities (e.g. ![]()
0 Comments
Leave a Reply. |