Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
"brian m. carlson" <sandals@crustytoothpaste.net> Sat, 19 October 2019 04:40 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 852AB12022D for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 21:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLK0f9IbPei5 for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 21:40:14 -0700 (PDT)
Received: from injection.crustytoothpaste.net (injection.crustytoothpaste.net [192.241.140.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 966BF120019 for <openpgp@ietf.org>; Fri, 18 Oct 2019 21:40:14 -0700 (PDT)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:b610:a2f0:36c1:12e3]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by injection.crustytoothpaste.net (Postfix) with ESMTPSA id 185F360458 for <openpgp@ietf.org>; Sat, 19 Oct 2019 04:40:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1571460013; bh=s/oaNYZbQN8xvADhVP12nyO+lMWa86ozJvpHxyzf+6k=; h=Date:From:To:Subject:References:Content-Type:Content-Disposition: In-Reply-To:From:Reply-To:Subject:Date:To:CC:Resent-Date: Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=t9bDF0k+Vhw5lqRNvtCGvksJwttGPw5qmpTdhzB2w+JNYYDWOQ5BwrxdabxeCDw3+ AXKoWM4LM+uxN/DBBUpU93MeoVTmThmC5bgjjSBuAcgc4osY9XVut8mFymD+1ARbVk WT8m9Dcqb8X29BSxdN0bwlvbQ4+5qHC+xovxYUKIxYf24UdQgmPO7ClXsod318gXou 5l6mnAkVMM072ZK81ocaX0iNM4ij0B1QfzTpdylafY8eHfvVX5MFa/mIiUrTNQf5Bz LTIGpVXZ5KXMXz+9jBjFzU50yScSLHr85fUHn+jC+VXHdg7qBaGYEyi1mhdLh0Xbfb twRXSTLIex51Ir/8vTykPShrVONp/5SNGH5LL3XBw5Nafr/EEpWUti6NiPWVfWjb52 APHDGrE/+5xT44MY41jx1x8j+6PS5pavUJ0DVgoUah3lpwX0B57flu9GYPlLeotvBs l7cfoB3S37Uu1N4EcYby5pL9AyuOCg6jYuBo3iBx7p5z2LiYKDN
Date: Sat, 19 Oct 2019 04:40:08 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: IETF OpenPGP <openpgp@ietf.org>
Message-ID: <20191019044008.othhw7j5fktqxdta@camp.crustytoothpaste.net>
References: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de> <FAAB5286-1C26-4F32-AB76-8B1E2C93FA77@icloud.com> <2efcd737-34b3-00bb-527f-725daf6e8509@kuix.de> <20191018225100.bnslptroeenuusxf@camp.crustytoothpaste.net> <CAMm+LwhL7ys67J=TaLwWDFEpb91H5SwQChVuoaHHqmCsoTiQjg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="gjxvs7vxqlafnh4w"
Content-Disposition: inline
In-Reply-To: <CAMm+LwhL7ys67J=TaLwWDFEpb91H5SwQChVuoaHHqmCsoTiQjg@mail.gmail.com>
X-Machine: Running on camp using GNU/Linux on x86_64 (Linux kernel 5.3.0-trunk-amd64)
User-Agent: NeoMutt/20180716
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/BRmIg0BDvrY2Hxs59Hm4l2Zt3pw>
Subject: Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Oct 2019 04:40:17 -0000
On 2019-10-19 at 03:40:03, Phillip Hallam-Baker wrote: > Someone just said we need a spec. Here is a spec: > https://www.ietf.org/id/draft-hallambaker-mesh-udf-07.txt > > It is in the new format which is intended to be read as HTML. Until the > tools catch up, you can read it here: > http://mathmesh.com/Documents/draft-hallambaker-mesh-udf.html This doesn't specify any method of primality testing which means different implementations can produce different values[0] (and is therefore not deterministic), unless you literally interpret the text "smallest prime integer" as requiring an actual prime. That could be implemented by using the Miller test instead of Miller-Rabin, but that would be much, much slower. In this particular case, the approach to invalid keys (where p and q are unsuitable) is "try again with a different seed", which is probably okay in terms of RSA, because the number of retries necessary will be low. It also doesn't specify DSA keys, which, while uncommon, are still a part of the spec. The "try again" approach will probably be a little more difficult here. > The draft does not specify the value of e which it should but I am pretty > sure we have standardized on 65537. I see no reference to p being greater > than q and it is a mystery to me why we would care when the RSA parameters > are the modulus and the private exponent d. Knowledge of p and q is only > used to determine d, they are not req The OpenPGP secret key contains u, the multiplicative inverse of p mod q, which is used along with p and q for the Chinese Remainder Theorem. RFC 4880 specifically mentions that p must be less than q, which is required for u to exist. (This is backwards from most other specs, which require the opposite and define u as the multiplicative inverse of q mod p.) It is, of course, possible to retain only n and d and eat the performance penalty, but that would not produce a valid OpenPGP secret key. [0] Yes, people should pick a suitable number of iterations for primality testing, but there are people that pick 1 iteration for PBKDF2, which is a demonstration of why we can't have nice things. We actually have to tell people how to write things in an interoperable and secure way. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
- [openpgp] Deriving an OpenPGP secret key from a h… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Jon Callas
- Re: [openpgp] Deriving an OpenPGP secret key from… Daniel Kahn Gillmor
- Re: [openpgp] Deriving an OpenPGP secret key from… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Daniel Kahn Gillmor
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Marcus Brinkmann
- Re: [openpgp] Deriving an OpenPGP secret key from… brian m. carlson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… brian m. carlson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Heiko Stamer
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker