Re: [Mathmesh] A different approach to key escrow

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 03 September 2019 14:51 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: mathmesh@ietfa.amsl.com
Delivered-To: mathmesh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66B431208D4 for <mathmesh@ietfa.amsl.com>; Tue, 3 Sep 2019 07:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8UBhlzTJwLcu for <mathmesh@ietfa.amsl.com>; Tue, 3 Sep 2019 07:51:23 -0700 (PDT)
Received: from mail-ot1-f41.google.com (mail-ot1-f41.google.com [209.85.210.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 547621208AF for <mathmesh@ietf.org>; Tue, 3 Sep 2019 07:51:23 -0700 (PDT)
Received: by mail-ot1-f41.google.com with SMTP id p23so17043126oto.0 for <mathmesh@ietf.org>; Tue, 03 Sep 2019 07:51:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gSOp/ald9IkSR811vnV6O+bm5gaZL0C6YCgf2HZHUwo=; b=fIW4sWOrKSeLYJ43NhAW4+zPsWIyR1HYVkTFc1a8YtWModQzO4nUL95OSZxmobNgKa v9qUK/cvEAeUfu7E40YmWvCGhoWc2fiDbR99NL2DYLAIbUwbQouurE2Pbeuu2HmCMOtO PPfF284N8JD0tjSa8y4ec+LzQ+QW5xOpkYkojSz/OPcc24nmLwcEJUrp7rMWwQYLszJo /FrlflkURYgYzr8SLxyS7juLHcUqi3/tPxQUXOKnRDP1qEpr1UiGiL+zf0BmkcoDEHUH moLcKM6aAdXEN5HCsIwCH34mCuEe+mxX3EvFGdCV0hJD6fT+oJWdOucION4JfB5GCk1L IPjQ==
X-Gm-Message-State: APjAAAWfggOuASXYcx//SBqewWdrMgLjNEVmd2Me+CqMyk2DZK5Gihpy m3TjhpRMe96tRveF1OURNZyJyBOKSyZYhz/78RDNkrE5
X-Google-Smtp-Source: APXvYqyXPv98pVmOR+GkiTxA38uMCjEk/i83Zt0PvYqQygJVcY1pE/7bvACYQQTB5lRMLiOc86pu8MM/8TGftvY96j8=
X-Received: by 2002:a9d:4e97:: with SMTP id v23mr5232228otk.112.1567522282538; Tue, 03 Sep 2019 07:51:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiZqA=M90YdmQOV+sAy+T-prhzphct2bsOyPmaQ4V2oOA@mail.gmail.com> <6241.1567487279@localhost>
In-Reply-To: <6241.1567487279@localhost>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 3 Sep 2019 10:51:11 -0400
Message-ID: <CAMm+LwhKHHz8e6b2C61zjFDv+shsLsBgxaAv=88dFG3kdJ9Fiw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: mathmesh@ietf.org, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000d40d720591a7388c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mathmesh/-_Kl_ad9ZQVD4bL-nTWEuTqb2VA>
Subject: Re: [Mathmesh] A different approach to key escrow
X-BeenThere: mathmesh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <mathmesh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mathmesh/>
List-Post: <mailto:mathmesh@ietf.org>
List-Help: <mailto:mathmesh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 14:51:26 -0000

OK so here is the difference.

In each case

Alice's master secret is
     97 BE C3 8C  EC 32 E3 A8  14 BE 38 AC  49 B3 58 D0

This has the UDF representation:
   ECL3-5Q4M-5QZO-HKAU-XY4K-YSNT-LDIA


We can split that using shamir secret sharing:

   f(1) = SAYE-UHOY-TVZO-LPGT-ZAGE-7JUW-6MTJ-I
   f(2) = SAYX-4HWP-3753-L4P3-N4S6-C2G4-QVPA-A
   f(3) = SAZD-HQNJ-KSDK-HAY7-BIFO-34Y2-NH7O-C
   f(4) = SAZW-WBTE-7MJ2-44B6-TC5X-KRKQ-UEEW-U
   f(5) = SA2C-H3IC-2ORN-NOK2-DM3X-OX37-FJ6W-Q


The difference is how we generate the private key pairs.

What is done now is that the Master Profile key pairs for encryption and
signature are generated in the normal way. The private keys are wrtiten out
to an escrow record that is encrypted under ECL3-5Q4M...

So recovery requires at least three of the key shares plus the encrypted
escrow record.


The other way to go about it is to use a KDF to generate the private keys
for the master profile:

Signing Key = HKDF ( [97 BE C3 8C EC 32 E3 A8 14 BE 38 AC 49 B3 58 D0],
"mmm/mesh-signature/Ed448". 448)
Escrow Key = HKDF ( [97 BE C3 8C EC 32 E3 A8 14 BE 38 AC 49 B3 58 D0],
"mmm/mesh-escrow/X448", 448)

So now recovery of the escrow record ONLY requires the master secret
ECL3-5Q4M-5QZO-HKAU-XY4K-YSNT-LDIA.
There is no encrypted escrow record.

Pros: More convenient.
Cons: The private keys have less ergodicity and are related by means of the
HMAC function.

If we are confident of our algorithms being secure, 2^128 is an infeasible
work factor. And if you look into how the scheme is implemented, we are not
talking about SHA-2-512 (x), we are talking about SHA-2-512 ( SHA-2-512 (
SHA-2-512 ( SHA-2-512 (x)  )  )  ).

If we are not confident of our algorithms being secure, we can use any size
work factor we like up to the size of our private key size. The recovery
shares just get a bit larger.


What I like about this is that I can easily specify an example key set just
by giving the master secret.


On Tue, Sep 3, 2019 at 1:08 AM Michael Richardson <mcr+ietf@sandelman.ca>;
wrote:

>
> Phillip Hallam-Baker <phill@hallambaker.com>; wrote:
>     > This works with any public key algorithm but it requires a service.
>
> ....
>
>     > * Generate a master secret of at least 128 bits
>     > * Use a KDF to generate the master key pairs for Encryption and
> Signature
>     > from the master secret
>     > * Use Shamir secret sharing to split the master secret  n out of m
> ways
>
>     > Thoughts?
>
> I don't understand how the need for the service is different.
>
>     > One side benefit of this approach is that it becomes quite easy to
> give
>     > test vectors, just give the master secret used to generate the key
>     > pairs.
>
> please expand.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>;, Sandelman Software Works
>  -= IPv6 IoT consulting =-
>
>
>
> --
> Mathmesh mailing list
> Mathmesh@ietf.org
> https://www.ietf.org/mailman/listinfo/mathmesh
>