By default, no .cheat
files are created. You need to explicitly
initialize the "cheat mode", by creating master cheat.public
and
cheat.private
key files:
>ecc cheatinit Enter Issuer identifier text of the master cheat keys. Will be truncated to 15-20 ascii-7 chars. Issuer [arbou] :
Enter a private PassPhrase for the master cheat.private key (at least 8 chars). Save this in a safe place: if you forget it, the key will be useless! NewPass [uQHH*am39LLj] : verysafelongpassword
Enter iteration rounds for the mastercheat.private key (at least 100000). NewRounds [100000] :
cheat.public/.private file created.
As you can see, the default number of PBKDF rounds is high (100000), and local files have been created:
>dir cheat.*
18/10/2016 11:12 4 368 cheat.private 18/10/2016 11:12 568 cheat.public
Now we will create a new key pair (in a single command line, with no console interaction):
>ecc new -newpass NewKeyP@ssw0rd -noprompt
Corresponding TSynPersistentWithPassword.ComputePassword: encryption HeOyjDUAsOhvLZkMA0Y= authMutual lO0mv+8VpoFrrFfbBFilNppn1WumaIL+AN3JXEUUpCY= authServer lO0nv+8VpoFrrFfbBFilNppn1WumaIL+AN3JXEUUpCY= authClient lO0kv+8VpoFrrFfbBFilNppn1WumaIL+AN3JXEUUpCY=
D1045FCBAA1382EE44ED2C212596E9E1.public/.private file created.
An associated .cheat
file has been created:
>dir D10*
18/10/2016 11:15 1 668 D1045FCBAA1382EE44ED2C212596E9E1.cheat 18/10/2016 11:15 2 320 D1045FCBAA1382EE44ED2C212596E9E1.private 18/10/2016 11:15 588 D1045FCBAA1382EE44ED2C212596E9E1.public
Imagine you forgot about the NewKeyPssw0rd
value. You could use
the following command to retrieve it:
>ecc cheat
Enter the first chars of the .private certificate file name. Auth: D10
Will use: D1045FCBAA1382EE44ED2C212596E9E1.private
Enter the PassPhrase of the master cheat.private file. AuthPass: verysafelongpassword
Enter the PassPhrase iteration rounds of the cheat.private file. AuthRounds [100000] :
{ "pass": "NewKeyP@ssw0rd", "rounds": 60000 } Corresponding TSynPersistentWithPassword.ComputePassword: encryption HeOyjDUAsOhvLZkMA0Y= authMutual lO0mv+8VpoFrrFfbBFilNppn1WumaIL+AN3JXEUUpCY= authServer lO0nv+8VpoFrrFfbBFilNppn1WumaIL+AN3JXEUUpCY= authClient lO0kv+8VpoFrrFfbBFilNppn1WumaIL+AN3JXEUUpCY=
If your .private
key does not have its associated
.cheat
file, you won't be able to recover your password:
>ecc cheat
Enter the first chars of the .private certificate file name. Auth: 8BC9
Will use: 8BC90201EF55EE34F62DBA8FE8CF14DC.private
Enter the PassPhrase of the master cheat.private file. AuthPass: verysafelongpassword
Enter the PassPhrase iteration rounds of the cheat.private file. AuthRounds [100000] :
Fatal exception EECCException raised with message: Unknown file 8BC90201EF55EE34F62DBA8FE8CF14DC.cheat
In practice, this "cheat mode" will help you implement a safe public key
infrastructure of any size. It will be as secure as the main
cheat.private
key file and its associated password remain hidden
and only wisely spread, of course. Don't forget to use the ecc
rekey
command on a regular basis, so that you change the master password
of cheat.private
. The main benefit of this implementation is that
for all key generation process, only the cheat.public
key file is
needed.
The updated documentation is the place to find latest information about this feature.