ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

2019-10-18 17:51:28
from [brian m. carlson] [Permanent Link] 
On 2019-10-17 at 09:13:02, Kai Engert wrote:

The seed is insufficient for recreating the OpenPGP key. We need
additional meta information.

The suggestion is to specify the meta information that is required to
recreate the OpenPGP key. In Daniel's response, he mentioned that as
part (c).

It seems that part (c) would contain information that is specific to
OpenPGP.

Daniel pointed out that I had missed the "key creation time" in my
enumeration.

So in addition to the seed, if we want a recovery mechanism that doesn't
require the OpenPGP transferrable public key to be readily available,
we'd have to combine:
- the general seed
- OpenPGP key creation time
- OpenPGP key algo
- OpenPGP key key size
- ...?


In addition, you require a deterministic key generation process.  This
is straightforward for EC keys (generate a random byte string of the
appropriate length as the secret key), but it's trickier for RSA and DSA
keys.

If the random number you pick for p is not prime, should you pick
another random one?  Increase it by two and try again?  What random
numbers are you going to pick for Miller-Rabin and how do you extract
those from the DRBG?  How many times do you iterate Miller-Rabin?

For DSA keys, how do you pick the generator?  For RSA keys, what values
of e do you allow?  If p is not less than q, do you swap them, or do you
generate a new q?

And yes, the Miller-Rabin numbers matter, because it's a probabilistic
technique, and it is possible to generate keys based off pseudoprimes,
which you would want to be able to reproduce, even if they are insecure.
Or you'd have to tell people that the process might produce a totally
different key if their original one was not really secure.

In order to get this right for non-EC keys, you really need a separate
document that defines things down the details, much like RFC 6979 does
for deterministic signatures.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Known seed key generation, Bjarni Runar Einarsson
Next by Date:  Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed, Phillip Hallam-Baker
Previous by Thread:  Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed, Kai Engert
Next by Thread:  Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]