IETF Logo Mail Archive

Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

Kai Engert <kaie@kuix.de> Thu, 17 October 2019 09:02 UTC

Return-Path: <kaie@kuix.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 870E5120851 for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2019 02:02:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kuix.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LUiAp3EonUl for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2019 02:02:02 -0700 (PDT)
Received: from cloud.kuix.de (cloud.kuix.de [93.90.207.85]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44598120855 for <openpgp@ietf.org>; Thu, 17 Oct 2019 02:02:01 -0700 (PDT)
Received: from [10.137.0.12] (ip-178-203-234-118.hsi10.unitymediagroup.de [178.203.234.118]) by cloud.kuix.de (Postfix) with ESMTPSA id ED639185981; Thu, 17 Oct 2019 09:01:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kuix.de; s=2018; t=1571302920; bh=cmGS2eQHzwr3o49NRotgx3g6ZOMLmZgnhAAWYka3mQ0=; h=Subject:To:References:From:Date:In-Reply-To:From; b=YbxZEh5MUzdx17LagfLEzn6qm+7PBC37Dsc0ihHvme/jQTEG2vIc1UyNtOd2DR3AW holod5qBG3RshsTQsK8QNCXr5WdwPi6MCFKBwXplnVXCvatW3E4TxGI8r7i3i0Nbgs FvRKZ4QZvWm6JlAuasi/Q0g1837tstnBKeLPIq5LsY1v2UUuxbYIRhci9WBhhRSKE4 JSX7vUAXAtexEekgW3X/yWHiTK4vOcwANoRrp3LfPcayoOGAtaPfxntBtazGm3FXqK 5sKDI0YaXC85xgvWb2Sud76hyshoLsSwCyNd/bys50Zf903eE1ModTu+3gBUNIxEv3 Im1zEcFXBDBVg==
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
References: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de> <8736fs7ao8.fsf@fifthhorseman.net>
From: Kai Engert <kaie@kuix.de>
Autocrypt: addr=kaie@kuix.de; keydata= xsFNBE8oE/UBEAC/Vx4tHVkfPdGf0BFMGcidXzAXKQ4+gI2F5rPBoV9fEtYngLHzm7+a6DL2 v5Jl5b4by9KtUbfIJysR1iniLWMJVPXZcyC4ovGouZ4MGK5cD9kMy+JdwebCs5/tj51vcvrS 08dP7r9Q0f0H7tsqhtVWuPFt+ZZEj8fIxjMgE3Z5BcyoGT1mXQ544RA0vr0fB9MngvfteD3L /wL2miDnYVtwB+VHC6kEB75Pte/yz1kFc/TDqKT8F45M3invhccY8Zwe7F88+uS+tgR5B3Ga RMc9WChZr5ed5vRxSLrGqBGSWBKomKuWXNFVMrZAOaq+W/+kOdNSXLdJSvXIAgV4Gywf1D0r ZTi8V+UoiTY8eDfT4OlBJrbbkge92/lrqaorAsuo/DVmfv7ARk7q2jvbSZD39zkWpLNsAulz gZOr+ffEHKy0f9fNwzenHpKvNtTUWGChEyDf7a6EtTBZsxAYco0xAtFOoQVwx5UzZk4tMVhv lrATrvmFdK5SLroDuwtSLUBJ5MhICyaB1kN7YSatQs33D+M5oPKVC+mn1WB/nznU475cssBW Asw+/K4VtXN08HxVFEvpV5MtpoYGe/cqsV87aVr/Igg45DVKtMMK8W5AmJDdGru3caxdVkkW fis9F1GBkk7ZPgip4cprh3KicuKsXhVrjk2mC/kCR+mrlY8ncQARAQABzSNLYWkgRW5nZXJ0 IChhdCB3b3JrKSA8a2FpZUBrdWl4LmRlPsLBegQTAQIAJAIbAwIeAQIXgAIZAQUCVdbtjAUL CQgHAwUVCgkICwUWAgMBAAAKCRAcJ0I3JQB3JEoOEAC9YaJFZCdCFXMb9HkQ4TS1z813EgTO lDFQwQ9vF26edvBjm80xcLQYUN5iRr6RNcHpx6FZLUX+AwAB5Cf2swVjvZB3LycwlKyKVuwd bXoLHPgq0XVu2l/ZbEKKmIR70UGAL/CKmZZm5rimicD1B5P+VXrnSl8uA7MjQFNnWnDuDHGk 9A/dl7RAEAenAiFlRFR5lwu9U/4TG0OrACgp7OIls3/jcszRRMJrc5OiTGWPq4d+Bo3a1yqA fdS2VjMObO8+zO7+4tact5uVFxrbMIRULKP0xJC/X77koUyn6ZSFIyFjJR2I/p4PCCLD0soJ 06e1e9bKUsKowFGwrvMnXqGEA4lij22R80paRH7VQ0QKQW9RDSqlF1YUafHpCt9D5i7HG2Ft ZgYz7VlfS27YMvG6Np+fN5Devh9Hap6fK5+SBTcs8v0Tgf8Ljx7OlajRHNtBxqRcPghnCZTJ oQpAJup5TYeqSGyp/Q2VT80h9iySGfBnn30qhcTr5lqOg/2NvQeu9wNVKBPmr8QpCfYb7ENZ CBifohzqBV8D6HaoBFeNts37kugcMWTw4C/RCtYI8TnjR18caDkc3kDh5p6anLnnQhCnGSVu LFj52lazHkj3FE+Ijg8ir95hm0d4PWZqk5UNfEPUa6ltBkHZstdpBvtqN+HxXpovqf8agBaZ ol2vXc7BTQRPKBP1ARAA54JU09VzBOPw44IYINiuQAEeyikO5sLT+Ixee8MM+T8tXk0Z9RSw UVctu8DwM+f8NjRI+dvmGSgezsiNL1ZkVuN37GM4dg7ZJ8oZCB5/YQQCCx1z7q4d68XsEfTs edl+Y2GcggbR6EpN4RbR38N6uhwKFZw0meuP6m1NaRCnihciJrXdoKxXcoHAxy3balGTPAbv OUmQaqI7dY5DVFPOT5I2wl1cWbkkTcx4wu8190sSMeW/IbwIg7inC/nqXCSKL633+Hv/2GcV zvBNK8JxO5YaHuHl+GBwP6cHlotHd2qr/BSyhYCt3CcMDHXR+vwSwawC+/zUpR5THrVLT6E/ hlpAZX5HQsY9BMrllI0Ap7MClj+kvRlkukNfc3/CKpAL1RjDV5+sr91ffBNXbZgpsp3/uCI6 QuJpFdUY8js5aYNwHCFbX8xkzdFqG95vt+uNoq/F7p7dEQi3BE0H2b0c4kuJX4G9MrAKdyfY r1KiPX513AQeIXZCE9UogON5jvKF6PBTTuzomsCZBa9ExbkLv+uCm7Q+EC4WwvvpbUaaLpmu t+oqnsSrYehg4ydm5NRhgfJy+Ris1sKAptyA7AlDWWsP5fFZE0rxeoDrTdbX6JVjxT509DtW a4rI0qgGTt625J6irm6nfbF8M1V5ZaBmSstWC/PDdggsfl35abQHxk8AEQEAAcLBXwQYAQIA CQUCTygT9QIbDAAKCRAcJ0I3JQB3JA5FEACCSZIzygwTFoOcFciojcbY3uvNamflJ0fMAv+h wO/Blprd1cHBmI0dQoTbpQ4NX33f9PVh4X9eCrxMCzUKB8RBS5ZNk5P0PYhJNooqKTmM3JIl coyvTruz9/Q2nbPA6z+0c7KJpmdJKn60vZfR4UDfwIOEqYvrZRbld3Bv1XXUQ6NHWvX6x2Ft vmASNON5m7ml4zwH6qSASJ0JZo0CuLwSOanmc5r+rDwtHHGqEpp6VwXpcPyF6ZUG5i0rU4OT H2y0kOb+7igK25LmjiXFNqbQb+K4lchVpxIGV6MvW6GAd3L0ei8cnYccZhAoPNCbKgEIA7qW 8g93U6Wf+P0yu9DbOqz2ETXoEqRJVDNLTrrvKyRYBDNpqvleUJtBHMnpU1Oqhf+ddCT292Ux fK9CoQe+st1QD5Mazlrnw4PuH7etS/Y2na7rXwqvop/IIu6Ba90/nddv/0cqvaRaDFYVN6HU GATLienjv0yS0QVTf/2x7B2NCtyT3lqRHrFByzm0FPAFxbr1HFJgE5CPGrmCn6ToR77gNBkL KUU3MVTGTRe35JHc5QVFuUwcrRBT/EcK8A3u0wmORswNnDylisYhzrw0RuS6WSvhAvuVQ0yF uh6SYw72DFmbX/h1A9BBMZ50tJtgqbD4Q+74J44SP8RD7qspTk6NNBa6D835NLx652yXwQ==
Message-ID: <70fb51f6-86ec-a4e3-9641-07f69630ee70@kuix.de>
Date: Thu, 17 Oct 2019 11:01:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2
MIME-Version: 1.0
In-Reply-To: <8736fs7ao8.fsf@fifthhorseman.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="Or258krH0FcM0JbB7LIauxUWIgWY8hmoJ"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/8kBHQAizeFV-X0Otg1ReoD7hSyo>
Subject: Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 09:02:05 -0000

On 16.10.19 21:27, Daniel Kahn Gillmor wrote:
> I'm not sure i see the value of any of the above fields for such a seed.
> If they're needed for OpenPGP, i think they're incomplete (lacking key
> creation timestamp at least) -- but i don't think they're needed.

We could add the creation timestamp. To save bits, we could introduce a
new epoch, that starts in october 2019. This new recovery mechanism
wouldn't support older keys.

With a 33 bit unsigned integer, we get 272 years. To compute, calculate
the regular 64bit unix epoch (since 1970). Then substract the new epoch
start timestamp (e.g. 1572000000 for 2019-10-25). Encode that as a 33
bit unsigned integer. Will work until year 2272.


> For initial secret key generation, these parameters -- key algo, key
> size, creation timestamp, etc -- can be made at key creation time and
> don't need to be recorded in the phrase.
> 
> For secret key recovery, presumably the user has the OpenPGP certificate
> ("transferable public key") available to them already, which contains
> all the above information already.  I'd imagine that the recovery
> process in the OpenPGP context would take the certificate and the
> mnemonic, deriving all of the above fields from the certificate.

What about a user who owns just a single computer, it breaks, and
they've lost all their files, and only the IMAP mail archive is left?

Maybe the user never uploaded their key to a key server, there's no backup.

Maybe the user has an email with the attached public key somewhere, but
can it be found reliably?

If we don't record any key information in the Mnemonic, the user must
perform some bootstrap action, prior to being able to regenerate the key:

- look at existing encrypted email, an extract the key ID, to understand
which key needs to be recovered. But that might be a subkey ID, so
further searching is required to identify the ID of the master key?

- search through existing email, in the hope that the full public key is
attached somewhere, either regular attachment, or maybe an outgoing
autocrypt header (only if user's client had autocrypt headers enabled).
Maybe there's no such email?

- contact one of the correspondents, and ask them to send the public key
back. Maybe the user doesn't want to do that?

It might be useful if recovery didn't depend on the above.


> I'm not personally very convinced about this general approach -- it's
> the equivalent of an unchangeable password that you've committed to
> publicly

Why do you consider it equivalent, if the seed was randomly generated,
and the list of words isn't influenced by the user?

Thanks
Kai

v2.23.0 | Report a Bug | By Email