Re: [Cfrg] Query: Very best practice for RSA key generation
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 21 October 2019 18:32 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA0621201E3 for <cfrg@ietfa.amsl.com>; Mon, 21 Oct 2019 11:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.646
X-Spam-Level:
X-Spam-Status: No, score=-1.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ci0gjkAtcqyM for <cfrg@ietfa.amsl.com>; Mon, 21 Oct 2019 11:32:30 -0700 (PDT)
Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA059120152 for <cfrg@irtf.org>; Mon, 21 Oct 2019 11:32:27 -0700 (PDT)
Received: by mail-ot1-f45.google.com with SMTP id o44so11885771ota.10 for <cfrg@irtf.org>; Mon, 21 Oct 2019 11:32:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=az4TZSZ+Oo+QUpBoJVGfEIOd+4hVjG9FCxRzs033WO4=; b=gxU5IrMreP2mQkGbb7COS70yJT8h5dPur/p67kW/epA2QbPKlr8c5KFLRqdiuPBoUP 9lseaddayPRJvVP9AtxZNoEC5T5YUOmhLWF9nVMnGoI72Ii4hPhUmAXic+siuBG/3fd4 eHH1OqQMqTPLErbLRYeCeuc+C1UxmjGlc7uFHqBlUiugbABJ6X6LHAQf5YGvZwSMNBHM J7vYjQ/Zg11aUbvfu2pf7wUUL3yOJagysb7mBx69+UKTbfsiNqaU3OJwRZ+pQ74s5tbR wcJFiNcL2HW2iie9Tt69mHcSdVrApnEFGlnjs7HIzaj/ubGhw9nOwezCDnA5mPrp2YQ0 B91w==
X-Gm-Message-State: APjAAAW/a7kc8lXff2BGbrzdAaGFc+9DtqZZAig+rvtpRzq/PFeuFUyQ CqfCOFwxvyOoZd2naI8W8TLTsB7WW6NDnetiULc=
X-Google-Smtp-Source: APXvYqw5xR2ITTIEj+4VNFswhWN0K1Z+5Bg2jOnF6Jo7vfboj5ivnVh9agGTVw4tY3vyUUqktcYKWdWa/MPNRbYisnU=
X-Received: by 2002:a05:6830:1d8a:: with SMTP id y10mr1631669oti.48.1571682747016; Mon, 21 Oct 2019 11:32:27 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+Lwixgjj-B0qG=0=Z59egb6fJ2BixW53gfvaPUcZ7r9Ys0w@mail.gmail.com> <CAMm+LwhLb7mnQmjAOxMMsPrzAZb==ix9Erfse5UDSoj0uB0iHQ@mail.gmail.com> <BN8PR11MB3666C8581C62EECE4F8A6E91C1690@BN8PR11MB3666.namprd11.prod.outlook.com>
In-Reply-To: <BN8PR11MB3666C8581C62EECE4F8A6E91C1690@BN8PR11MB3666.namprd11.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 21 Oct 2019 14:32:25 -0400
Message-ID: <CAMm+LwhpGBwwcLhti7WYTLwEkCaPt4Ft+xnc6WCqcPJo3Umgdg@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "mathmesh@ietf.org" <mathmesh@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d5e9db05956fe733"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/5JWND1Dtw72bSQuAot8VFytyhdw>
Subject: Re: [Cfrg] Query: Very best practice for RSA key generation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 18:32:33 -0000
Thanks for the info. I will take a look on the next iteration. This is what I sent out on Friday: http://mathmesh.com/Documents/draft-hallambaker-mesh-udf.html One comment on this approach is that rather than using the traditional nextprime(x) function, it would be more satisfactory to take the next output from the KDF. This is easy to do: try KDF (PRK, "p0", l) try KDF (PRK, "p1", l) try KDF (PRK, "p2", l) etc. Where try is a function that extracts the necessary number of bits, sets the first and last to 1 and tests for primality. This ensures that there is an exactly equal probability of choosing every prime in the space rather than a bias towards primes that are preceded by an empty gap of non primes. Not that we know of a reason such a gap might be an issue, but it seems proper to avoid it since we can. I also plan to add DSA to the draft since it has been requested. The mechanism for generating the first prime will be the same. The mechanism for the second prime will be as constrained by the specification. On Mon, Oct 21, 2019 at 11:25 AM Scott Fluhrer (sfluhrer) < sfluhrer@cisco.com> wrote: > Actually, NIST SP 800-56B already defines a number of ways to map a seed > into an RSA key. While they’re not perfect (they are overly complex, and > of course, there are a number of methods and parameters in those methods > that we’d need to agree upon), however (IMHO) it’d make more sense to start > from there rather than inventing a new method… > > > > *From:* Cfrg <cfrg-bounces@irtf.org> *On Behalf Of * Phillip Hallam-Baker > *Sent:* Thursday, October 17, 2019 4:26 PM > *To:* cfrg@irtf.org; mathmesh@ietf.org > *Subject:* [Cfrg] Query: Very best practice for RSA key generation > > > > [CC'd to CFRG as this is a crypto question, MATHMESH as the target group, > OpenPGP as a group that recently asked for the same capability. Also to the > cryptography list for additional eyes. Looking to add this to the UDF draft > tomorrow] > > > > A question has come up for generating key pairs from a specified random > seed. I am just looking to add this to UDF and would like advice as to what > the very best practices are for RSA keygen. > > > > The use case here is that the user wants to be able to be very very sure > the key was correctly generated and that they can recover it. So lets say I > want to configure OpenPGP with the same keypair on three different machines > without the full Mesh PKI. > > > > > > The basic idea is that a user has a key which expressed in Base32 looks > like this: > > > > ZAAA-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ > > > > The first three bytes are > > C8 Type code for key generation with 16 bit key type] > > 00,00 RSA 2048 bit key pair > > > > The remaining characters are to provide randomness for the key > generation function. A minimum of 112 bits (work factor of RSA 2048) are > required. So 112+24 = 136 bits > > > > To generate keys, HMAC-KDF is used > > > > p0 = KDF ("ZAAA-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ".FromBase32(), "P") > > q0 = KDF ("ZAAA-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ".FromBase32(), "Q") > > > > p = next_prime (p0) > > q = next_prime (q0) > > > > So that is the RSA part. > > > > I don't plan to do DH. For ECDH, I suggest the NIST and CFRG curves only. > > > > > > OK so some interesting variations. Lets say I don't trust the > random number generator on any one machine. So lets use Shamir Secret > sharing on three different machines for a 140 bit output: > > > > f(1) = SAYE-UHOY-TVZO-LPGT-ZAGE-7JUW-6MTJ-I > f(2) = SAYX-4HWP-3753-L4P3-N4S6-C2G4-QVPA-A > f(3) = SAZD-HQNJ-KSDK-HAY7-BIFO-34Y2-NH7O-C > > > > We can now combine the shares on the target machine to (re)generate the > keypair. We can also give ourselves a couple of additional shares as well: > > > > f(4) = SAZW-WBTE-7MJ2-44B6-TC5X-KRKQ-UEEW-U > f(5) = SA2C-H3IC-2ORN-NOK2-DM3X-OX37-FJ6W-Q > > > > >
- [Cfrg] Query: Very best practice for RSA key gene… Phillip Hallam-Baker
- Re: [Cfrg] Query: Very best practice for RSA key … Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Query: Very best practice for RSA key … Phillip Hallam-Baker