IETF Logo Mail Archive

Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

"brian m. carlson" <sandals@crustytoothpaste.net> Fri, 18 October 2019 22:51 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC8212092A for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 15:51:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jHv2fEu0q3Bo for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 15:51:07 -0700 (PDT)
Received: from injection.crustytoothpaste.net (injection.crustytoothpaste.net [192.241.140.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 854F31209A8 for <openpgp@ietf.org>; Fri, 18 Oct 2019 15:51:06 -0700 (PDT)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:b610:a2f0:36c1:12e3]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by injection.crustytoothpaste.net (Postfix) with ESMTPSA id 56A5E60459 for <openpgp@ietf.org>; Fri, 18 Oct 2019 22:51:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1571439065; bh=iR3voCb9D105Fo25Q/0FIuMP6YKpCPSiR4FmTqrKzw0=; h=Date:From:To:Subject:References:Content-Type:Content-Disposition: In-Reply-To:From:Reply-To:Subject:Date:To:CC:Resent-Date: Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=mb8tLg8AXhiLWPh+vuqJdECCGynLXuWA2OP0uEl6dlABKMc5d5G8UWPnNs5PYaQjC F/fqd3x88z2d3r0ExXPWQdHOorOoceBAsQt0rw8mzE1XvU84UqJ4rzVvtPbTzAyLOM m5nSWRQkFrbM35bj7G9N+qthkFQUNH3GOHlMG5J5w9zCiHtGa58XuJ5VuO4NbfSm0A 3oczzTKPO7fs3UHDoOcoBaiHO4TZ0mWrsSTe/EVgKJWWQ4Eefsjv3g2CU6fT/b/6IR Ijz1uj355npRub0Ndj9SVP/8u+2xfqQj9QzXEQRsK6xB1kHO++8GO3Lt8eZSMp7qv6 hzRup64/JwxKBcPhFWZmGwtyHkVzWyZ9d8HdbmBENwnTW5HEE4etwDfhDcgtHLtoxD JfkY+/T0FXN6u8G+QJ7eNYHnbk31vnOoKu+RSRH3S3UG6iZnPitUVcKaN2vGW1QSlp I08UzLfHT9yJirLlJ+UnqQKfhQVTlYjy/KKUbUsY/2U/Gzp/mQ3
Date: Fri, 18 Oct 2019 22:51:00 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <20191018225100.bnslptroeenuusxf@camp.crustytoothpaste.net>
References: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de> <FAAB5286-1C26-4F32-AB76-8B1E2C93FA77@icloud.com> <2efcd737-34b3-00bb-527f-725daf6e8509@kuix.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="lqo4fjxrbid6vqwt"
Content-Disposition: inline
In-Reply-To: <2efcd737-34b3-00bb-527f-725daf6e8509@kuix.de>
X-Machine: Running on camp using GNU/Linux on x86_64 (Linux kernel 5.3.0-trunk-amd64)
User-Agent: NeoMutt/20180716
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/i-3vvx8zod73jMfpDiErwwuYI7M>
Subject: Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2019 22:51:18 -0000

On 2019-10-17 at 09:13:02, Kai Engert wrote:
> The seed is insufficient for recreating the OpenPGP key. We need
> additional meta information.
> 
> The suggestion is to specify the meta information that is required to
> recreate the OpenPGP key. In Daniel's response, he mentioned that as
> part (c).
> 
> It seems that part (c) would contain information that is specific to
> OpenPGP.
> 
> Daniel pointed out that I had missed the "key creation time" in my
> enumeration.
> 
> So in addition to the seed, if we want a recovery mechanism that doesn't
> require the OpenPGP transferrable public key to be readily available,
> we'd have to combine:
> - the general seed
> - OpenPGP key creation time
> - OpenPGP key algo
> - OpenPGP key key size
> - ...?

In addition, you require a deterministic key generation process.  This
is straightforward for EC keys (generate a random byte string of the
appropriate length as the secret key), but it's trickier for RSA and DSA
keys.

If the random number you pick for p is not prime, should you pick
another random one?  Increase it by two and try again?  What random
numbers are you going to pick for Miller-Rabin and how do you extract
those from the DRBG?  How many times do you iterate Miller-Rabin?

For DSA keys, how do you pick the generator?  For RSA keys, what values
of e do you allow?  If p is not less than q, do you swap them, or do you
generate a new q?

And yes, the Miller-Rabin numbers matter, because it's a probabilistic
technique, and it is possible to generate keys based off pseudoprimes,
which you would want to be able to reproduce, even if they are insecure.
Or you'd have to tell people that the process might produce a totally
different key if their original one was not really secure.

In order to get this right for non-EC keys, you really need a separate
document that defines things down the details, much like RFC 6979 does
for deterministic signatures.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

v2.23.0 | Report a Bug | By Email