Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
"brian m. carlson" <sandals@crustytoothpaste.net> Fri, 18 October 2019 22:51 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC8212092A for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 15:51:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jHv2fEu0q3Bo for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 15:51:07 -0700 (PDT)
Received: from injection.crustytoothpaste.net (injection.crustytoothpaste.net [192.241.140.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 854F31209A8 for <openpgp@ietf.org>; Fri, 18 Oct 2019 15:51:06 -0700 (PDT)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:b610:a2f0:36c1:12e3]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by injection.crustytoothpaste.net (Postfix) with ESMTPSA id 56A5E60459 for <openpgp@ietf.org>; Fri, 18 Oct 2019 22:51:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1571439065; bh=iR3voCb9D105Fo25Q/0FIuMP6YKpCPSiR4FmTqrKzw0=; h=Date:From:To:Subject:References:Content-Type:Content-Disposition: In-Reply-To:From:Reply-To:Subject:Date:To:CC:Resent-Date: Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=mb8tLg8AXhiLWPh+vuqJdECCGynLXuWA2OP0uEl6dlABKMc5d5G8UWPnNs5PYaQjC F/fqd3x88z2d3r0ExXPWQdHOorOoceBAsQt0rw8mzE1XvU84UqJ4rzVvtPbTzAyLOM m5nSWRQkFrbM35bj7G9N+qthkFQUNH3GOHlMG5J5w9zCiHtGa58XuJ5VuO4NbfSm0A 3oczzTKPO7fs3UHDoOcoBaiHO4TZ0mWrsSTe/EVgKJWWQ4Eefsjv3g2CU6fT/b/6IR Ijz1uj355npRub0Ndj9SVP/8u+2xfqQj9QzXEQRsK6xB1kHO++8GO3Lt8eZSMp7qv6 hzRup64/JwxKBcPhFWZmGwtyHkVzWyZ9d8HdbmBENwnTW5HEE4etwDfhDcgtHLtoxD JfkY+/T0FXN6u8G+QJ7eNYHnbk31vnOoKu+RSRH3S3UG6iZnPitUVcKaN2vGW1QSlp I08UzLfHT9yJirLlJ+UnqQKfhQVTlYjy/KKUbUsY/2U/Gzp/mQ3
Date: Fri, 18 Oct 2019 22:51:00 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <20191018225100.bnslptroeenuusxf@camp.crustytoothpaste.net>
References: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de> <FAAB5286-1C26-4F32-AB76-8B1E2C93FA77@icloud.com> <2efcd737-34b3-00bb-527f-725daf6e8509@kuix.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="lqo4fjxrbid6vqwt"
Content-Disposition: inline
In-Reply-To: <2efcd737-34b3-00bb-527f-725daf6e8509@kuix.de>
X-Machine: Running on camp using GNU/Linux on x86_64 (Linux kernel 5.3.0-trunk-amd64)
User-Agent: NeoMutt/20180716
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/i-3vvx8zod73jMfpDiErwwuYI7M>
Subject: Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2019 22:51:18 -0000
On 2019-10-17 at 09:13:02, Kai Engert wrote: > The seed is insufficient for recreating the OpenPGP key. We need > additional meta information. > > The suggestion is to specify the meta information that is required to > recreate the OpenPGP key. In Daniel's response, he mentioned that as > part (c). > > It seems that part (c) would contain information that is specific to > OpenPGP. > > Daniel pointed out that I had missed the "key creation time" in my > enumeration. > > So in addition to the seed, if we want a recovery mechanism that doesn't > require the OpenPGP transferrable public key to be readily available, > we'd have to combine: > - the general seed > - OpenPGP key creation time > - OpenPGP key algo > - OpenPGP key key size > - ...? In addition, you require a deterministic key generation process. This is straightforward for EC keys (generate a random byte string of the appropriate length as the secret key), but it's trickier for RSA and DSA keys. If the random number you pick for p is not prime, should you pick another random one? Increase it by two and try again? What random numbers are you going to pick for Miller-Rabin and how do you extract those from the DRBG? How many times do you iterate Miller-Rabin? For DSA keys, how do you pick the generator? For RSA keys, what values of e do you allow? If p is not less than q, do you swap them, or do you generate a new q? And yes, the Miller-Rabin numbers matter, because it's a probabilistic technique, and it is possible to generate keys based off pseudoprimes, which you would want to be able to reproduce, even if they are insecure. Or you'd have to tell people that the process might produce a totally different key if their original one was not really secure. In order to get this right for non-EC keys, you really need a separate document that defines things down the details, much like RFC 6979 does for deterministic signatures. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
- [openpgp] Deriving an OpenPGP secret key from a h… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Jon Callas
- Re: [openpgp] Deriving an OpenPGP secret key from… Daniel Kahn Gillmor
- Re: [openpgp] Deriving an OpenPGP secret key from… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Kai Engert
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Daniel Kahn Gillmor
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Marcus Brinkmann
- Re: [openpgp] Deriving an OpenPGP secret key from… brian m. carlson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… brian m. carlson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Heiko Stamer
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker
- Re: [openpgp] Deriving an OpenPGP secret key from… Michael Richardson
- Re: [openpgp] Deriving an OpenPGP secret key from… Phillip Hallam-Baker