IETF Logo Mail Archive

Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

Marcus Brinkmann <marcus.brinkmann@rub.de> Fri, 18 October 2019 13:37 UTC

Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F41B1201EA for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 06:37:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dj8HsGKi1J0R for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 06:37:35 -0700 (PDT)
Received: from out1.mail.ruhr-uni-bochum.de (out1.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:8:1001::8693:3595]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE0B61200FE for <openpgp@ietf.org>; Fri, 18 Oct 2019 06:37:34 -0700 (PDT)
Received: from mx1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out1.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 46vnCH5Vmgz4wTQ for <openpgp@ietf.org>; Fri, 18 Oct 2019 15:37:31 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1571405851; bh=WNxjOBNS4epCC77XjdEI8qaFCDzdfGisQ0lP68OeixY=; h=Subject:To:References:From:Date:In-Reply-To:From; b=roGCfHaiG2vT4yyh2c/LeiGlYF7WV2ss7it+z/0TyIznb6JDUtyC2LoedC9MHrzvF 4fmXcrnaLcpTl8vRAicp25foQydm3kH8GVumNH217byJTHOJ+L/pPjSl002A9luRxN RNtONiNheTekhCKKLvspa4t/3mXPuSJ5UmIHMrXU=
Received: from out1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx1.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 46vnCH4hp8z4wnd for <openpgp@ietf.org>; Fri, 18 Oct 2019 15:37:31 +0200 (CEST)
X-Envelope-Sender: <marcus.brinkmann@rub.de>
X-RUB-Notes: Internal origin=134.147.42.227
Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [134.147.42.227]) by out1.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 46vnCH4MMGz4wTQ for <openpgp@ietf.org>; Fri, 18 Oct 2019 15:37:31 +0200 (CEST)
Received: from [IPv6:2a05:3e00:9:2100:dc7:9e4a:72a5:36e1] (dyn-1e635a27a4e97cd000129000.nds.ipv6.ruhr-uni-bochum.de [IPv6:2a05:3e00:9:2100:dc7:9e4a:72a5:36e1]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 46vnCG00Qxzyv0 for <openpgp@ietf.org>; Fri, 18 Oct 2019 15:37:29 +0200 (CEST)
To: openpgp@ietf.org
References: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de> <8736fs7ao8.fsf@fifthhorseman.net> <22567.1571307200@dooku.sandelman.ca> <87r23b5kvt.fsf@fifthhorseman.net>
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
Message-ID: <ecbdba8a-672c-7e7f-6d69-d974718f1bf6@rub.de>
Date: Fri, 18 Oct 2019 15:37:30 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <87r23b5kvt.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/-BXPibvjq-BJ2RvmhPEPCPsMZJg>
Subject: Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2019 13:37:38 -0000

On 10/17/19 7:42 PM, Daniel Kahn Gillmor wrote:
> On Thu 2019-10-17 12:13:20 +0200, Michael Richardson wrote:
>> That's a good point; however sometimes perfect is the enemy of good enough,
>> and that has been the case for encrypted email for a long time.
>>
>> A recoverable key would be an option, not a requirement.
> 
> yep, that's why i'm trying to help think this through, even though i'm
> not particularly excited about it. :)
> 
>> {An interesting (mathematical, density of primes) question would be whether
>> one would be able to determine from looking at the public key whether it was
>> recoverable or not.  That is, can one recognize some pattern in the expanded
>> DRBG. It might still be statistically secure, yet since the amount of entropy
>> in the key is less than the entropy in the input, it might leave a pattern}
> 
> Can you give an example of this?  I haven't tried to prove this, but i
> think if the generated public key (whether a curve25519 point or an RSA
> modulus) is distinguishable from other public keys, there is a strong
> argument to be made that either the DRBG or the secret key derivation
> mechanism is deeply flawed.

Svenda, et al: "The Million-Key Question – Investigating the Origins of
RSA Public Keys", USENIX Security Symposium 2016.

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_svenda.pdf

"We analysed over 60 million freshly generated key pairs from 22 open-
and closed-source libraries and from 16 different smartcards, revealing
significant leakage."

Thanks,
Marcus

-- 
Dipl.-Math. Marcus Brinkmann

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum

Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann

v2.23.0 | Report a Bug | By Email