IETF Logo Mail Archive

[openpgp] Deriving an OpenPGP secret key from a human readable seed

Kai Engert <kaie@kuix.de> Tue, 15 October 2019 12:16 UTC

Return-Path: <kaie@kuix.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 887EE12000F for <openpgp@ietfa.amsl.com>; Tue, 15 Oct 2019 05:16:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kuix.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jyFdN9ze_yE for <openpgp@ietfa.amsl.com>; Tue, 15 Oct 2019 05:16:36 -0700 (PDT)
Received: from cloud.kuix.de (cloud.kuix.de [IPv6:2001:8d8:1801:86::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4637B12008A for <openpgp@ietf.org>; Tue, 15 Oct 2019 05:16:35 -0700 (PDT)
Received: from [10.137.0.12] (ip-178-203-234-118.hsi10.unitymediagroup.de [178.203.234.118]) by cloud.kuix.de (Postfix) with ESMTPSA id 1F35B1858E6 for <openpgp@ietf.org>; Tue, 15 Oct 2019 12:16:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kuix.de; s=2018; t=1571141792; bh=WRi0PGY5sift6IruWxjAL4qvw+TYJRUdmVAbIP548DQ=; h=From:Subject:To:Date:From; b=EbCBhS5Ew38W8PeYJcAzsB02ESUBfymmDNC4tzdtfjQV67tPa3kG25b71ZG7SfJ7o Oo39VgEFLM0QxnN0wGe091bkXxalx5elPZP5Uv/NI89G1h4OxlQqoTzZfleJIYAR6K KP4pksKmMdeGqUGMSiMCDifK6asGzeOECdJqiZZkMfMvZOXVhp50d9fXaT9czL/8rZ V6VrteE1l1H/4SiLdfNWmMRbq/lQGq2ELrDFFZY1SImpwr7EFx3nMkfYYSwRYuSqwk I9mwwV9gyxlneyKUztWfuIg+zjgi3jWkCYrxuRA90Cq3RDSbdyPusX+t2wUe+Kuhqk Xm61XK2DpiD3g==
From: Kai Engert <kaie@kuix.de>
Autocrypt: addr=kaie@kuix.de; keydata= xsFNBE8oE/UBEAC/Vx4tHVkfPdGf0BFMGcidXzAXKQ4+gI2F5rPBoV9fEtYngLHzm7+a6DL2 v5Jl5b4by9KtUbfIJysR1iniLWMJVPXZcyC4ovGouZ4MGK5cD9kMy+JdwebCs5/tj51vcvrS 08dP7r9Q0f0H7tsqhtVWuPFt+ZZEj8fIxjMgE3Z5BcyoGT1mXQ544RA0vr0fB9MngvfteD3L /wL2miDnYVtwB+VHC6kEB75Pte/yz1kFc/TDqKT8F45M3invhccY8Zwe7F88+uS+tgR5B3Ga RMc9WChZr5ed5vRxSLrGqBGSWBKomKuWXNFVMrZAOaq+W/+kOdNSXLdJSvXIAgV4Gywf1D0r ZTi8V+UoiTY8eDfT4OlBJrbbkge92/lrqaorAsuo/DVmfv7ARk7q2jvbSZD39zkWpLNsAulz gZOr+ffEHKy0f9fNwzenHpKvNtTUWGChEyDf7a6EtTBZsxAYco0xAtFOoQVwx5UzZk4tMVhv lrATrvmFdK5SLroDuwtSLUBJ5MhICyaB1kN7YSatQs33D+M5oPKVC+mn1WB/nznU475cssBW Asw+/K4VtXN08HxVFEvpV5MtpoYGe/cqsV87aVr/Igg45DVKtMMK8W5AmJDdGru3caxdVkkW fis9F1GBkk7ZPgip4cprh3KicuKsXhVrjk2mC/kCR+mrlY8ncQARAQABzSNLYWkgRW5nZXJ0 IChhdCB3b3JrKSA8a2FpZUBrdWl4LmRlPsLBegQTAQIAJAIbAwIeAQIXgAIZAQUCVdbtjAUL CQgHAwUVCgkICwUWAgMBAAAKCRAcJ0I3JQB3JEoOEAC9YaJFZCdCFXMb9HkQ4TS1z813EgTO lDFQwQ9vF26edvBjm80xcLQYUN5iRr6RNcHpx6FZLUX+AwAB5Cf2swVjvZB3LycwlKyKVuwd bXoLHPgq0XVu2l/ZbEKKmIR70UGAL/CKmZZm5rimicD1B5P+VXrnSl8uA7MjQFNnWnDuDHGk 9A/dl7RAEAenAiFlRFR5lwu9U/4TG0OrACgp7OIls3/jcszRRMJrc5OiTGWPq4d+Bo3a1yqA fdS2VjMObO8+zO7+4tact5uVFxrbMIRULKP0xJC/X77koUyn6ZSFIyFjJR2I/p4PCCLD0soJ 06e1e9bKUsKowFGwrvMnXqGEA4lij22R80paRH7VQ0QKQW9RDSqlF1YUafHpCt9D5i7HG2Ft ZgYz7VlfS27YMvG6Np+fN5Devh9Hap6fK5+SBTcs8v0Tgf8Ljx7OlajRHNtBxqRcPghnCZTJ oQpAJup5TYeqSGyp/Q2VT80h9iySGfBnn30qhcTr5lqOg/2NvQeu9wNVKBPmr8QpCfYb7ENZ CBifohzqBV8D6HaoBFeNts37kugcMWTw4C/RCtYI8TnjR18caDkc3kDh5p6anLnnQhCnGSVu LFj52lazHkj3FE+Ijg8ir95hm0d4PWZqk5UNfEPUa6ltBkHZstdpBvtqN+HxXpovqf8agBaZ ol2vXc7BTQRPKBP1ARAA54JU09VzBOPw44IYINiuQAEeyikO5sLT+Ixee8MM+T8tXk0Z9RSw UVctu8DwM+f8NjRI+dvmGSgezsiNL1ZkVuN37GM4dg7ZJ8oZCB5/YQQCCx1z7q4d68XsEfTs edl+Y2GcggbR6EpN4RbR38N6uhwKFZw0meuP6m1NaRCnihciJrXdoKxXcoHAxy3balGTPAbv OUmQaqI7dY5DVFPOT5I2wl1cWbkkTcx4wu8190sSMeW/IbwIg7inC/nqXCSKL633+Hv/2GcV zvBNK8JxO5YaHuHl+GBwP6cHlotHd2qr/BSyhYCt3CcMDHXR+vwSwawC+/zUpR5THrVLT6E/ hlpAZX5HQsY9BMrllI0Ap7MClj+kvRlkukNfc3/CKpAL1RjDV5+sr91ffBNXbZgpsp3/uCI6 QuJpFdUY8js5aYNwHCFbX8xkzdFqG95vt+uNoq/F7p7dEQi3BE0H2b0c4kuJX4G9MrAKdyfY r1KiPX513AQeIXZCE9UogON5jvKF6PBTTuzomsCZBa9ExbkLv+uCm7Q+EC4WwvvpbUaaLpmu t+oqnsSrYehg4ydm5NRhgfJy+Ris1sKAptyA7AlDWWsP5fFZE0rxeoDrTdbX6JVjxT509DtW a4rI0qgGTt625J6irm6nfbF8M1V5ZaBmSstWC/PDdggsfl35abQHxk8AEQEAAcLBXwQYAQIA CQUCTygT9QIbDAAKCRAcJ0I3JQB3JA5FEACCSZIzygwTFoOcFciojcbY3uvNamflJ0fMAv+h wO/Blprd1cHBmI0dQoTbpQ4NX33f9PVh4X9eCrxMCzUKB8RBS5ZNk5P0PYhJNooqKTmM3JIl coyvTruz9/Q2nbPA6z+0c7KJpmdJKn60vZfR4UDfwIOEqYvrZRbld3Bv1XXUQ6NHWvX6x2Ft vmASNON5m7ml4zwH6qSASJ0JZo0CuLwSOanmc5r+rDwtHHGqEpp6VwXpcPyF6ZUG5i0rU4OT H2y0kOb+7igK25LmjiXFNqbQb+K4lchVpxIGV6MvW6GAd3L0ei8cnYccZhAoPNCbKgEIA7qW 8g93U6Wf+P0yu9DbOqz2ETXoEqRJVDNLTrrvKyRYBDNpqvleUJtBHMnpU1Oqhf+ddCT292Ux fK9CoQe+st1QD5Mazlrnw4PuH7etS/Y2na7rXwqvop/IIu6Ba90/nddv/0cqvaRaDFYVN6HU GATLienjv0yS0QVTf/2x7B2NCtyT3lqRHrFByzm0FPAFxbr1HFJgE5CPGrmCn6ToR77gNBkL KUU3MVTGTRe35JHc5QVFuUwcrRBT/EcK8A3u0wmORswNnDylisYhzrw0RuS6WSvhAvuVQ0yF uh6SYw72DFmbX/h1A9BBMZ50tJtgqbD4Q+74J44SP8RD7qspTk6NNBa6D835NLx652yXwQ==
To: openpgp@ietf.org
Message-ID: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de>
Date: Tue, 15 Oct 2019 14:16:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/bYKHqjgXKtDWX0HISfzChRmsWes>
Subject: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 12:16:40 -0000

Today, saving a backup of an OpenPGP secret key usually requires storing
a file.

It could be useful to standardize an an additional recovery mechanism,
that doesn't require the secure storage of a file, but is based on a
list of words written to paper.

The high level idea is:

- key generation requires a source of entropy

- instead of using the entropy directly, the entropy could
  be used to seed a CSPRNG (like HMAC_DRBG), which is then used
  to obtain the random data that is needed for key generation.

- the entropy, plus any meta data required to generate the key,
  could be encoded as a list of words, which the user can write down.

- at a later time, the user could recover by using OpenPGP key
  generation software that supports this recovery mechanism,
  could provide the word list, which is decoded to obtain the original
  entropy bits.

- after creating the initial key, if additional keys need to be
  generated (e.g. a subkey), the CSPRNG is used to fetch all additional
  random numbers that are required.

During the OpenPGP summit last weekend it was mentioned that having this
kind of mechanism available could be useful, without going into detail.

Tobias Müller pointed me to an existing implementation of a similar idea
for creating OpenPGP keys : https://github.com/skeeto/passphrase2pgp

A definition of such an approach exists for the kind of private keys
that are used in the Bitcoin world, and IIUC several applications
implement it:
https://en.bitcoin.it/wiki/BIP_0039

(For creating additional child keys, an additional standard exists for
creating them, just for completeness, I don't know (yet) if the OpenPGP
mechanism might require (or could use) something similar for sub keys:
https://en.bitcoin.it/wiki/BIP_0032 )

Would you be interested to discuss how to standardize such a recovery
mechanism, and would you be interested to implement it in your applications?

Besides the raw entropy, what other meta information would we have to be
included, to ensure that key generation can be repeated?

I see the primary purpose for this recovery mechanism as desaster recovery:
- ensure the recovered primary key can be used to decrypt an
  archive of old data, like the encrypted emails in a sent folder
- allow the use of the recovered primary key to create a revocation
  statement

If the guts of the BIP_0039 specification is considered equivalent to
the needs of a mechanism for OpenPGP secret keys, maybe it could be a
useful shortcut to use the same approach.

It uses lists with 2048 words, and encodes each word as 11 bits.
A seed of 128 bits with a checksum of 4 bits is encoded into 12 words.

Potentially the metadata required to encode a public key could be
encoded into additional words.

Here's a result of some initial brainstorming, but I'm unsure if I've
identified all the meta information that would be necessary to repeat
the key generation, but as a starting point for discussion, we could
encode the following meta/descriptor information into 33 bits, which
could then be encoded into three additional words.

1 bit
    Version of this descriptor prefix, always 0.

7 bits
    Number of entropy bytes that will be encoded as a mnemonic.
    Encoded as a multiple of 32 minus 1.
    Smallest value possible is 32, encoded as 0: (0 + 1) * 32 = 32
    Largest value possible is 4096, encoded as 127:
      ((127 + 1) * 32) = 4096
    (Maybe 4096 is unnecessarily large, and we could use a smaller
     amount of bits for this.)

7 bits
    Identifier of the public key algorithm, as defined in RFC 4880
    section 9.1
    (Assumption that this implies the usual associated sub key
     algorithm. If not possible, we'd need additional bits to
     encode the sub key algorithm.)

18 bits
    Key size plus 1
    Smallest value possible, encoded as 0: 1
    Largest value possible, encoded as 262143: 262144
    (Maybe again that's unnecessarily large and we could use the
     bits for something else.)

A full recovery mnemonic based on a 128 bit seed could consist of 15
words, 3 bytes for the descriptor prefix and 12 bytes for the seed.

I hope some of this message makes sense.

Regards
Kai

v2.23.0 | Report a Bug | By Email