Is it possible to change a RSA key passphrase ? about cryptico HOT 6 CLOSED

Yes please, this is critical in cases where someone compromises their key

from cryptico.

Not going to happen. This lib is a distinct approach from what you want.

Usually, passphrase is used to encrypt an existing private key. Thus, it can be decrypted and then encrypted using different passphare.
This lib utilizes passphase as a seed for random number generator. Thus, private key is uniquely and tightly coupled with its passphare.

Think of it the same way as of a hash function. A hash function deterministically maps its input to some hash. You cannot just change one input to another input, chosen by your wish, and still get the same hash on output.

You would use this lib if you don't want to store private key. Thus, for an end-user of your application, passphase becomes indistinguishable from private key in matter of its usage and purpose. Lost passphrase = lost private key.

The practical applications of this are rare and should be well-thought-out before deployment, I would say. The enthropy of a key is very low (few orders of magnitude lower than should be for strong private key). Such approach is good for proving the knowledge of a passhprase to other party, but really bad for actual data encryption.

If you're already storing private keys, you should consider truly random generation for private keys and some common symmetric encryption with passphrase to secure a private key. Maybe, something like this https://github.com/brix/crypto-js#aes-encryption

from cryptico.

@arantir
can you use an trully random generation for passphrase and keep this code to generate the private key?

from cryptico.

@Elmapul I guess you want to generate a secure (to some extent) RSA key purely on client-side (in other words generate a key with a sophisticated server-side software and send it to the client is not a case for you). If so, then... yes, this can do the trick.
The concerns are how good is the randomness of your passphrase and how good is PRNG implementation in the library (this claim is true for any lib which generates a key from a seed), but I'm not that much of an expert in cryptography to judge.

from cryptico.

@arantir If this is really the way it operates, you should make this much clearer in the documentation. As it stands, a cursory look at this definitely leads people to misinterpret what this library does (as evidenced by the response on this issue)

from cryptico.

@fresheneesz Sorry, I'm not the owner or contributor (also have no intention to be the one), just used the lib few times long ago.
The way it operates is described on the front page https://github.com/wwwtyro/cryptico#encryption-technical-documentation

from cryptico.