[Cfrg] Query: Very best practice for RSA key generation
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 17 October 2019 20:26 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E16A1200FA for <cfrg@ietfa.amsl.com>; Thu, 17 Oct 2019 13:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.474
X-Spam-Level:
X-Spam-Status: No, score=-1.474 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.172, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kBvQ1C09Tg3b for <cfrg@ietfa.amsl.com>; Thu, 17 Oct 2019 13:26:02 -0700 (PDT)
Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 380641209B5 for <cfrg@irtf.org>; Thu, 17 Oct 2019 13:26:02 -0700 (PDT)
Received: by mail-ot1-f44.google.com with SMTP id k32so3059567otc.4 for <cfrg@irtf.org>; Thu, 17 Oct 2019 13:26:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=8XmKzD85WFTcSUV2tL4ZfTIL96A/9dczsTkvcrviQD4=; b=cq3lkvJuVPvuIMS0ZyJqva+7m4zUjZn4xFuDul0YaGtENHptnTTt0mOf2xUbnNFvTd 2pXpNSI94HCwyJxNKRN0ljeGk2jzK7peqpnihetc5x60msE4BQyKOwlrLd2fq/UIDqyp QsrUrtiUuHj/mc+HmC8neU35F6QihcCmHDt1Tczxufvg3PoV9vFEHVmmJ4gUOq3lnRNg 21sKyUr6gdFvmcsJP67+fl6U2eBBFbzu+tZgDy46beq2qOIy12kubFVGNDtcftmKbyYj qdXFqQ43YmZAFi0v2GZ1+5A2uCFBt+Jho0EeoME/gUQTpE7U+1EiSL5CaYt7RivCwPxh tzBw==
X-Gm-Message-State: APjAAAVUT4q5HRw+3s+1k/ATfkjLRdQpagqsEDdlsadJxJ5t/AmuK9bQ X87G6OVmysm55yX/PTNekdfDd1gtRNenNvCw34XSXf78
X-Google-Smtp-Source: APXvYqxMbT89A9SgsY9TfdnuzqKx+gZXzO8e8fKuTmWrU3nYFmQJM0iE7H5hyDlKc0lXY/yelfwMH03lKqicosJbhqY=
X-Received: by 2002:a9d:3a3:: with SMTP id f32mr4916153otf.231.1571343961172; Thu, 17 Oct 2019 13:26:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+Lwixgjj-B0qG=0=Z59egb6fJ2BixW53gfvaPUcZ7r9Ys0w@mail.gmail.com>
In-Reply-To: <CAMm+Lwixgjj-B0qG=0=Z59egb6fJ2BixW53gfvaPUcZ7r9Ys0w@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 17 Oct 2019 16:25:56 -0400
Message-ID: <CAMm+LwhLb7mnQmjAOxMMsPrzAZb==ix9Erfse5UDSoj0uB0iHQ@mail.gmail.com>
To: cfrg@irtf.org, mathmesh@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a031d305952106af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/n3cJSs-ivUIQpzf8C9OY0XMRXuI>
Subject: [Cfrg] Query: Very best practice for RSA key generation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 20:26:04 -0000
[CC'd to CFRG as this is a crypto question, MATHMESH as the target group,
OpenPGP as a group that recently asked for the same capability. Also to the
cryptography list for additional eyes. Looking to add this to the UDF draft
tomorrow]
A question has come up for generating key pairs from a specified random
seed. I am just looking to add this to UDF and would like advice as to what
the very best practices are for RSA keygen.
The use case here is that the user wants to be able to be very very sure
the key was correctly generated and that they can recover it. So lets say I
want to configure OpenPGP with the same keypair on three different machines
without the full Mesh PKI.
The basic idea is that a user has a key which expressed in Base32 looks
like this:
ZAAA-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ
The first three bytes are
C8 Type code for key generation with 16 bit key type]
00,00 RSA 2048 bit key pair
The remaining characters are to provide randomness for the key
generation function. A minimum of 112 bits (work factor of RSA 2048) are
required. So 112+24 = 136 bits
To generate keys, HMAC-KDF is used
p0 = KDF ("ZAAA-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ".FromBase32(), "P")
q0 = KDF ("ZAAA-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ".FromBase32(), "Q")
p = next_prime (p0)
q = next_prime (q0)
So that is the RSA part.
I don't plan to do DH. For ECDH, I suggest the NIST and CFRG curves only.
OK so some interesting variations. Lets say I don't trust the random number
generator on any one machine. So lets use Shamir Secret sharing on three
different machines for a 140 bit output:
f(1) = SAYE-UHOY-TVZO-LPGT-ZAGE-7JUW-6MTJ-I
f(2) = SAYX-4HWP-3753-L4P3-N4S6-C2G4-QVPA-A
f(3) = SAZD-HQNJ-KSDK-HAY7-BIFO-34Y2-NH7O-C
We can now combine the shares on the target machine to (re)generate the
keypair. We can also give ourselves a couple of additional shares as well:
f(4) = SAZW-WBTE-7MJ2-44B6-TC5X-KRKQ-UEEW-U
f(5) = SA2C-H3IC-2ORN-NOK2-DM3X-OX37-FJ6W-Q
- [Cfrg] Query: Very best practice for RSA key gene… Phillip Hallam-Baker
- Re: [Cfrg] Query: Very best practice for RSA key … Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Query: Very best practice for RSA key … Phillip Hallam-Baker