IETF Logo Mail Archive

Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 17 October 2019 19:33 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 445C5120C16 for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2019 12:33:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=3y1hEgAQ; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=38VQlXx8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9BU1l2rpvh39 for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2019 12:33:57 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92B9F120C37 for <openpgp@ietf.org>; Thu, 17 Oct 2019 12:33:57 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1571340836; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OBlidYOXdAkTk2yLAGB5EJwrkGfBwfjlMA8bhRPpA+o=; b=3y1hEgAQcWRrLhOKsgyQ/G9iqKXAUhJI28lKfvHu+rKfLo6QAF3+/yTj RLZf3GDVZKNV0HbaqYC5dRWX/G69DA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1571340836; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OBlidYOXdAkTk2yLAGB5EJwrkGfBwfjlMA8bhRPpA+o=; b=38VQlXx8MEuQBBKn68fJ8yWXDj5CMPa+iAR5BeBB68z1K/DkrUS0tg9C G5ZC4ZiMaGV3jORP27Q5DOnXwB157jZJRYwAoxy49LvznEPpqJQOn3x8/X B8mf+eFhtAbKy3RL6V3Xbq/NT27tZKemcUA//NX7YJloP+hF735j9eeZU+ vIlA1UPEFVqs6LHqfKtjiJs20byhiFZ1pgu45hJ64WOhPvtiMtSDqmp50I q84mEz1s9cZXMD1RQkeSgss8LHC5lluhXl6TleSHcxViksrm97oKtVFH5p 5H311Cg9iqR10jvM2KLvJ2Z5dxJMjxwaN8llZ18nMwHQZ+uXXgiZjg==
Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id C9FD8F9A7; Thu, 17 Oct 2019 15:33:55 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id C3F4F201CF; Thu, 17 Oct 2019 13:42:30 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>, openpgp@ietf.org
In-Reply-To: <22567.1571307200@dooku.sandelman.ca>
References: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de> <8736fs7ao8.fsf@fifthhorseman.net> <22567.1571307200@dooku.sandelman.ca>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Thu, 17 Oct 2019 13:42:30 -0400
Message-ID: <87r23b5kvt.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/bug9kS2UgZd4Q-ORjXtcJxMMB-4>
Subject: Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 19:34:06 -0000

On Thu 2019-10-17 12:13:20 +0200, Michael Richardson wrote:
> That's a good point; however sometimes perfect is the enemy of good enough,
> and that has been the case for encrypted email for a long time.
>
> A recoverable key would be an option, not a requirement.

yep, that's why i'm trying to help think this through, even though i'm
not particularly excited about it. :)

> {An interesting (mathematical, density of primes) question would be whether
> one would be able to determine from looking at the public key whether it was
> recoverable or not.  That is, can one recognize some pattern in the expanded
> DRBG. It might still be statistically secure, yet since the amount of entropy
> in the key is less than the entropy in the input, it might leave a pattern}

Can you give an example of this?  I haven't tried to prove this, but i
think if the generated public key (whether a curve25519 point or an RSA
modulus) is distinguishable from other public keys, there is a strong
argument to be made that either the DRBG or the secret key derivation
mechanism is deeply flawed.

       --dkg

v2.23.0 | Report a Bug | By Email