Re: [Mathmesh] [Cfrg] Query: Very best practice for RSA key generation
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 21 October 2019 18:32 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: mathmesh@ietfa.amsl.com
Delivered-To: mathmesh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 224081201E4 for <mathmesh@ietfa.amsl.com>; Mon, 21 Oct 2019 11:32:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.646
X-Spam-Level:
X-Spam-Status: No, score=-1.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujSLvFbOvZY9 for <mathmesh@ietfa.amsl.com>; Mon, 21 Oct 2019 11:32:31 -0700 (PDT)
Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com [209.85.210.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCE95120025 for <mathmesh@ietf.org>; Mon, 21 Oct 2019 11:32:27 -0700 (PDT)
Received: by mail-ot1-f54.google.com with SMTP id d8so688099otc.7 for <mathmesh@ietf.org>; Mon, 21 Oct 2019 11:32:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=az4TZSZ+Oo+QUpBoJVGfEIOd+4hVjG9FCxRzs033WO4=; b=ge5AF+8T3iGz+dlzazH79wKOUqJqCz1OKAQwNnAbsrN6G5CmFABPhd4RNpzXLZV9iY nYDFZLrHm7b6aAlTFoRCBDg4EYYxCm980ca5hpqecsGgvXEJ+rNwKo+Vxlbj4/NxNK3Z VMMco5dkq67kn0d11MrJjEMQ+NnMx36ttgO2p123qY1prNT5psyWP8uTEMPQJ6ZesI53 H8qqAUysPp1Hw/2zsTe8EOtrz//97jdfVemW7OfQ9Oaj97ZAS0yaBV5Mcd7NxthP4C/L ndyVgIl/XF4N+un/4VhsJHl4HlXcM2NGPBsXPtXWZJ9XS94RG+YyVisLo5pJkUN/R4dZ 9YDQ==
X-Gm-Message-State: APjAAAWlXiSPMOWvGO5azU117wvIRpD4rIml8F8HqcFsWUvLAwt90wmX Qpr+0uGHD92vwRuZsyKRS2rTkKHGw1DvLPLdJvU=
X-Google-Smtp-Source: APXvYqw5xR2ITTIEj+4VNFswhWN0K1Z+5Bg2jOnF6Jo7vfboj5ivnVh9agGTVw4tY3vyUUqktcYKWdWa/MPNRbYisnU=
X-Received: by 2002:a05:6830:1d8a:: with SMTP id y10mr1631669oti.48.1571682747016; Mon, 21 Oct 2019 11:32:27 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+Lwixgjj-B0qG=0=Z59egb6fJ2BixW53gfvaPUcZ7r9Ys0w@mail.gmail.com> <CAMm+LwhLb7mnQmjAOxMMsPrzAZb==ix9Erfse5UDSoj0uB0iHQ@mail.gmail.com> <BN8PR11MB3666C8581C62EECE4F8A6E91C1690@BN8PR11MB3666.namprd11.prod.outlook.com>
In-Reply-To: <BN8PR11MB3666C8581C62EECE4F8A6E91C1690@BN8PR11MB3666.namprd11.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 21 Oct 2019 14:32:25 -0400
Message-ID: <CAMm+LwhpGBwwcLhti7WYTLwEkCaPt4Ft+xnc6WCqcPJo3Umgdg@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "mathmesh@ietf.org" <mathmesh@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d5e9db05956fe733"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mathmesh/wekk1R3kAZDuX1hBLdvkcNgL4NM>
Subject: Re: [Mathmesh] [Cfrg] Query: Very best practice for RSA key generation
X-BeenThere: mathmesh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <mathmesh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mathmesh/>
List-Post: <mailto:mathmesh@ietf.org>
List-Help: <mailto:mathmesh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 18:32:33 -0000
Thanks for the info. I will take a look on the next iteration. This is what I sent out on Friday: http://mathmesh.com/Documents/draft-hallambaker-mesh-udf.html One comment on this approach is that rather than using the traditional nextprime(x) function, it would be more satisfactory to take the next output from the KDF. This is easy to do: try KDF (PRK, "p0", l) try KDF (PRK, "p1", l) try KDF (PRK, "p2", l) etc. Where try is a function that extracts the necessary number of bits, sets the first and last to 1 and tests for primality. This ensures that there is an exactly equal probability of choosing every prime in the space rather than a bias towards primes that are preceded by an empty gap of non primes. Not that we know of a reason such a gap might be an issue, but it seems proper to avoid it since we can. I also plan to add DSA to the draft since it has been requested. The mechanism for generating the first prime will be the same. The mechanism for the second prime will be as constrained by the specification. On Mon, Oct 21, 2019 at 11:25 AM Scott Fluhrer (sfluhrer) < sfluhrer@cisco.com> wrote: > Actually, NIST SP 800-56B already defines a number of ways to map a seed > into an RSA key. While they’re not perfect (they are overly complex, and > of course, there are a number of methods and parameters in those methods > that we’d need to agree upon), however (IMHO) it’d make more sense to start > from there rather than inventing a new method… > > > > *From:* Cfrg <cfrg-bounces@irtf.org> *On Behalf Of * Phillip Hallam-Baker > *Sent:* Thursday, October 17, 2019 4:26 PM > *To:* cfrg@irtf.org; mathmesh@ietf.org > *Subject:* [Cfrg] Query: Very best practice for RSA key generation > > > > [CC'd to CFRG as this is a crypto question, MATHMESH as the target group, > OpenPGP as a group that recently asked for the same capability. Also to the > cryptography list for additional eyes. Looking to add this to the UDF draft > tomorrow] > > > > A question has come up for generating key pairs from a specified random > seed. I am just looking to add this to UDF and would like advice as to what > the very best practices are for RSA keygen. > > > > The use case here is that the user wants to be able to be very very sure > the key was correctly generated and that they can recover it. So lets say I > want to configure OpenPGP with the same keypair on three different machines > without the full Mesh PKI. > > > > > > The basic idea is that a user has a key which expressed in Base32 looks > like this: > > > > ZAAA-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ > > > > The first three bytes are > > C8 Type code for key generation with 16 bit key type] > > 00,00 RSA 2048 bit key pair > > > > The remaining characters are to provide randomness for the key > generation function. A minimum of 112 bits (work factor of RSA 2048) are > required. So 112+24 = 136 bits > > > > To generate keys, HMAC-KDF is used > > > > p0 = KDF ("ZAAA-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ".FromBase32(), "P") > > q0 = KDF ("ZAAA-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ".FromBase32(), "Q") > > > > p = next_prime (p0) > > q = next_prime (q0) > > > > So that is the RSA part. > > > > I don't plan to do DH. For ECDH, I suggest the NIST and CFRG curves only. > > > > > > OK so some interesting variations. Lets say I don't trust the > random number generator on any one machine. So lets use Shamir Secret > sharing on three different machines for a 140 bit output: > > > > f(1) = SAYE-UHOY-TVZO-LPGT-ZAGE-7JUW-6MTJ-I > f(2) = SAYX-4HWP-3753-L4P3-N4S6-C2G4-QVPA-A > f(3) = SAZD-HQNJ-KSDK-HAY7-BIFO-34Y2-NH7O-C > > > > We can now combine the shares on the target machine to (re)generate the > keypair. We can also give ourselves a couple of additional shares as well: > > > > f(4) = SAZW-WBTE-7MJ2-44B6-TC5X-KRKQ-UEEW-U > f(5) = SA2C-H3IC-2ORN-NOK2-DM3X-OX37-FJ6W-Q > > > > >
- [Mathmesh] Query: Very best practice for RSA key … Phillip Hallam-Baker
- Re: [Mathmesh] [Cfrg] Query: Very best practice f… Scott Fluhrer (sfluhrer)
- Re: [Mathmesh] [Cfrg] Query: Very best practice f… Phillip Hallam-Baker