IETF Logo Mail Archive

Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

Phillip Hallam-Baker <phill@hallambaker.com> Sat, 19 October 2019 05:44 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11A3312012E for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 22:44:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.477
X-Spam-Level:
X-Spam-Status: No, score=-1.477 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.172, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HH5V_szspEvd for <openpgp@ietfa.amsl.com>; Fri, 18 Oct 2019 22:44:43 -0700 (PDT)
Received: from mail-oi1-f176.google.com (mail-oi1-f176.google.com [209.85.167.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E33BE120024 for <openpgp@ietf.org>; Fri, 18 Oct 2019 22:44:42 -0700 (PDT)
Received: by mail-oi1-f176.google.com with SMTP id 83so7047918oii.1 for <openpgp@ietf.org>; Fri, 18 Oct 2019 22:44:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FtN3wYO/c58G8jIzF7NHhdwAcqbvCvixhFqRBW2UPu4=; b=Z3rrk5Y+6IFMlOMtwY5519mpz/fAM7wyQ1w5yRnkEPMjwllFZYb0e9hD7YhYquX6hY /pf+TmcorFtCRI39jeEnJMxlmfuopZLCnLvcwbOg0M/PGhMxKzEW+mqqSXSbwm0dFiHO OTM2KHtsnZ56gr+0CaRsw0VS7dyX5g6t2wA19+H1k/64t86rXta2QiCDLUPoJ6kBwcVR R7DPkxfwEo3svnzZcD1PBAEdK+dcoS3+yyp+DY7dJoZm3ZP0fc99sHfQ801uXMU2ALXX VypO8+papaz97Jebz4T6gtkez2UNRWLrvpzkCpUYF1NQ8kp02oaeIjFmsFjQpzggJR8l xMJQ==
X-Gm-Message-State: APjAAAVK/KLv9Vcq7Vw3nczZ6F0stKQexuTpgTx0nxzCClAE5xdvApcc IsCmHBLlWAOu+D3qk/SQF5ilvYIOi6NlUPlFxEU=
X-Google-Smtp-Source: APXvYqzmPwZmSJPBkm4W1zZHPiyrUdRw+YvfIcIo+VwJIFvJzgnrRhqlOA5YBAlf8/KX5iPgr5TmKb3Ld2W6WfETN1c=
X-Received: by 2002:aca:4a49:: with SMTP id x70mr11054882oia.17.1571463882111; Fri, 18 Oct 2019 22:44:42 -0700 (PDT)
MIME-Version: 1.0
References: <5eb8774d-8d4f-63e3-29bc-53f3c8d21c51@kuix.de> <FAAB5286-1C26-4F32-AB76-8B1E2C93FA77@icloud.com> <2efcd737-34b3-00bb-527f-725daf6e8509@kuix.de> <20191018225100.bnslptroeenuusxf@camp.crustytoothpaste.net> <CAMm+LwhL7ys67J=TaLwWDFEpb91H5SwQChVuoaHHqmCsoTiQjg@mail.gmail.com> <20191019044008.othhw7j5fktqxdta@camp.crustytoothpaste.net>
In-Reply-To: <20191019044008.othhw7j5fktqxdta@camp.crustytoothpaste.net>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Sat, 19 Oct 2019 01:44:37 -0400
Message-ID: <CAMm+LwjRN6fhvZK+oSb6NLZvLK+QHuxn0oF7Mez3Eodb0sbJ4g@mail.gmail.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: IETF OpenPGP <openpgp@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000787f3705953cf2c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/wJ4gGfZy3Riyfh8LMqpdwBooA9Y>
Subject: Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Oct 2019 05:44:45 -0000

On Sat, Oct 19, 2019 at 12:40 AM brian m. carlson <
sandals@crustytoothpaste.net> wrote:

> On 2019-10-19 at 03:40:03, Phillip Hallam-Baker wrote:
> > Someone just said we need a spec. Here is a spec:
> > https://www.ietf.org/id/draft-hallambaker-mesh-udf-07.txt
> >
> > It is in the new format which is intended to be read as HTML. Until the
> > tools catch up, you can read it here:
> > http://mathmesh.com/Documents/draft-hallambaker-mesh-udf.html
>
> This doesn't specify any method of primality testing which means
> different implementations can produce different values[0] (and is
> therefore not deterministic), unless you literally interpret the text
> "smallest prime integer" as requiring an actual prime.  That could be
> implemented by using the Miller test instead of Miller-Rabin, but that
> would be much, much slower.
>

I am trying to work out what the necessary criteria should be. It is
certainly something to think about.

If someone is using a random primality test with 128 rounds, there is an
infinitesimal chance it isn't a prime, 2^-128.

The work factor for picking such a prime is 2^128 so it should not happen
by accident either.

Right now, my feeling is that if someone is going to use a broken primality
test, the risk of not recovering their key might be the least of their
concerns...

I think I might have a solution though...


In this particular case, the approach to invalid keys (where p and q are
> unsuitable) is "try again with a different seed", which is probably okay
> in terms of RSA, because the number of retries necessary will be low.
>

The only problem with that approach is that it prevents generating RSA keys
from shared secrets...


> It also doesn't specify DSA keys, which, while uncommon, are still a
> part of the spec.  The "try again" approach will probably be a little
> more difficult here.
>

I can add them. Which DSA key sizes are still relevant?

> The draft does not specify the value of e which it should but I am pretty
> > sure we have standardized on 65537. I see no reference to p being greater
> > than q and it is a mystery to me why we would care when the RSA
> parameters
> > are the modulus and the private exponent d. Knowledge of p and q is only
> > used to determine d, they are not req
>
> The OpenPGP secret key contains u, the multiplicative inverse of p mod
> q, which is used along with p and q for the Chinese Remainder Theorem.
> RFC 4880 specifically mentions that p must be less than q, which is
> required for u to exist.  (This is backwards from most other specs,
> which require the opposite and define u as the multiplicative inverse of
> q mod p.)
>

OK, so I will rework that part and merely specify that it outputs two
primes X and Y which implementations are free to use for either p or q as
they please.

So long as the resulting value of d is the same...

[0] Yes, people should pick a suitable number of iterations for
> primality testing, but there are people that pick 1 iteration for
> PBKDF2, which is a demonstration of why we can't have nice things.  We
> actually have to tell people how to write things in an interoperable
> and secure way.
>

Absolutely. And there are folk who have calculated their RSA parameters by
setting the upper n bits of their RSA modulus to be the encrypted value of
their seed value, choosing a random p and then working out what their q
should be. Then sold the result to a foreign adversary...

There are two possible situations.

1) User generates a strong key, recovery fails on a bad implementation with
insufficient testing.

2) User generates a broken key due to insufficient testing, cannot recover
it.

The first is the least worst. We can still recover the key on a good
implementation.

The second is trickier. But since we have specified the search pattern, we
can still recover the key provided that we know the fingerprint.

In either case, we can blame and shame the bad implementation!

v2.23.0 | Report a Bug | By Email