IETF Logo Mail Archive

Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

"brian m. carlson" <sandals@crustytoothpaste.net> Sat, 19 October 2019 04:40 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 852AB12022D for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 21:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLK0f9IbPei5 for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 21:40:14 -0700 (PDT)
Received: from injection.crustytoothpaste.net (injection.crustytoothpaste.net [192.241.140.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 966BF120019 for <openpgp@ietf.org>; Fri, 18 Oct 2019 21:40:14 -0700 (PDT)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:b610:a2f0:36c1:12e3]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by injection.crustytoothpaste.net (Postfix) with ESMTPSA id 185F360458 for <openpgp@ietf.org>; Sat, 19 Oct 2019 04:40:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1571460013; bh=s/oaNYZbQN8xvADhVP12nyO+lMWa86ozJvpHxyzf+6k=; h=Date:From:To:Subject:References:Content-Type:Content-Disposition: In-Reply-To:From:Reply-To:Subject:Date:To:CC:Resent-Date: Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=t9bDF0k+Vhw5lqRNvtCGvksJwttGPw5qmpTdhzB2w+JNYYDWOQ5BwrxdabxeCDw3+ AXKoWM4LM+uxN/DBBUpU93MeoVTmThmC5bgjjSBuAcgc4osY9XVut8mFymD+1ARbVk WT8m9Dcqb8X29BSxdN0bwlvbQ4+5qHC+xovxYUKIxYf24UdQgmPO7ClXsod318gXou 5l6mnAkVMM072ZK81ocaX0iNM4ij0B1QfzTpdylafY8eHfvVX5MFa/mIiUrTNQf5Bz LTIGpVXZ5KXMXz+9jBjFzU50yScSLHr85fUHn+jC+VXHdg7qBaGYEyi1mhdLh0Xbfb twRXSTLIex51Ir/8vTykPShrVONp/5SNGH5LL3XBw5Nafr/EEpWUti6NiPWVfWjb52 APHDGrE/+5xT44MY41jx1x8j+6PS5pavUJ0DVgoUah3lpwX0B57flu9GYPlLeotvBs l7cfoB3S37Uu1N4EcYby5pL9AyuOCg6jYuBo3iBx7p5z2LiYKDN
Date: Sat, 19 Oct 2019 04:40:08 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: IETF OpenPGP <openpgp@ietf.org>
Message-ID: <20191019044008.othhw7j5fktqxdta@camp.crustytoothpaste.net>
References: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de> <FAAB5286-1C26-4F32-AB76-8B1E2C93FA77@icloud.com> <2efcd737-34b3-00bb-527f-725daf6e8509@kuix.de> <20191018225100.bnslptroeenuusxf@camp.crustytoothpaste.net> <CAMm+LwhL7ys67J=TaLwWDFEpb91H5SwQChVuoaHHqmCsoTiQjg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="gjxvs7vxqlafnh4w"
Content-Disposition: inline
In-Reply-To: <CAMm+LwhL7ys67J=TaLwWDFEpb91H5SwQChVuoaHHqmCsoTiQjg@mail.gmail.com>
X-Machine: Running on camp using GNU/Linux on x86_64 (Linux kernel 5.3.0-trunk-amd64)
User-Agent: NeoMutt/20180716
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/BRmIg0BDvrY2Hxs59Hm4l2Zt3pw>
Subject: Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Oct 2019 04:40:17 -0000

On 2019-10-19 at 03:40:03, Phillip Hallam-Baker wrote:
> Someone just said we need a spec. Here is a spec:
> https://www.ietf.org/id/draft-hallambaker-mesh-udf-07.txt
> 
> It is in the new format which is intended to be read as HTML. Until the
> tools catch up, you can read it here:
> http://mathmesh.com/Documents/draft-hallambaker-mesh-udf.html

This doesn't specify any method of primality testing which means
different implementations can produce different values[0] (and is
therefore not deterministic), unless you literally interpret the text
"smallest prime integer" as requiring an actual prime.  That could be
implemented by using the Miller test instead of Miller-Rabin, but that
would be much, much slower.

In this particular case, the approach to invalid keys (where p and q are
unsuitable) is "try again with a different seed", which is probably okay
in terms of RSA, because the number of retries necessary will be low.

It also doesn't specify DSA keys, which, while uncommon, are still a
part of the spec.  The "try again" approach will probably be a little
more difficult here.

> The draft does not specify the value of e which it should but I am pretty
> sure we have standardized on 65537. I see no reference to p being greater
> than q and it is a mystery to me why we would care when the RSA parameters
> are the modulus and the private exponent d. Knowledge of p and q is only
> used to determine d, they are not req

The OpenPGP secret key contains u, the multiplicative inverse of p mod
q, which is used along with p and q for the Chinese Remainder Theorem.
RFC 4880 specifically mentions that p must be less than q, which is
required for u to exist.  (This is backwards from most other specs,
which require the opposite and define u as the multiplicative inverse of
q mod p.)

It is, of course, possible to retain only n and d and eat the
performance penalty, but that would not produce a valid OpenPGP secret
key.

[0] Yes, people should pick a suitable number of iterations for
primality testing, but there are people that pick 1 iteration for
PBKDF2, which is a demonstration of why we can't have nice things.  We
actually have to tell people how to write things in an interoperable
and secure way.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

v2.23.0 | Report a Bug | By Email