IETF Logo Mail Archive

Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 17 October 2019 10:12 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADA9C1201B7 for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2019 03:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.436
X-Spam-Level: *
X-Spam-Status: No, score=1.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2kXqEjRvH2N for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2019 03:12:29 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B189120178 for <openpgp@ietf.org>; Thu, 17 Oct 2019 03:12:29 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [IPv6:2001:67c:64:42:5650:5f0a:e07a:7e5f]) by relay.sandelman.ca (Postfix) with ESMTPS id 8E8911F455 for <openpgp@ietf.org>; Thu, 17 Oct 2019 10:12:26 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 5CA8810B6; Thu, 17 Oct 2019 12:13:20 +0200 (CEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: openpgp@ietf.org
In-reply-to: <8736fs7ao8.fsf@fifthhorseman.net>
References: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de> <8736fs7ao8.fsf@fifthhorseman.net>
Comments: In-reply-to Daniel Kahn Gillmor <dkg@fifthhorseman.net> message dated "Wed, 16 Oct 2019 15:27:51 -0400."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 17 Oct 2019 12:13:20 +0200
Message-ID: <22567.1571307200@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/oTb_eX1SflTo1c-0a47TAo5vJ9c>
Subject: Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 10:12:31 -0000

Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
    > For secret key recovery, presumably the user has the OpenPGP certificate
    > ("transferable public key") available to them already, which contains
    > all the above information already.  I'd imagine that the recovery
    > process in the OpenPGP context would take the certificate and the
    > mnemonic, deriving all of the above fields from the certificate.

I think that this makes sense.
And it's already signed :-)

    > I'm not personally very convinced about this general approach -- it's
    > the equivalent of an unchangeable password that you've committed to
    > publicly (so anyone who thinks they have a good guess at your password
    > can verify it offline against your public key fingerprint).

That's a good point; however sometimes perfect is the enemy of good enough,
and that has been the case for encrypted email for a long time.

A recoverable key would be an option, not a requirement.

{An interesting (mathematical, density of primes) question would be whether
one would be able to determine from looking at the public key whether it was
recoverable or not.  That is, can one recognize some pattern in the expanded
DRBG. It might still be statistically secure, yet since the amount of entropy
in the key is less than the entropy in the input, it might leave a pattern}

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email