Re: [cryptography] no-keyring public

[Samuel Neves]

On 25-08-2013 13:38, Alexander Klimov wrote:
 There was a ECC program from the previous century that worked as you 
 described: the private key was derived solely from the user password. 
 Unfortunately, I cannot recall its name (and I suspect it already 
 vanished from the net since it was not secure due to its use of EC 
 over binary composite field, Weil descent attack), but I guess someone 
 here remembers its name, since at that time it was a rare example of 
 ECC software.

The name was Pegwit:
http://www.george-barwood.pwp.blueyonder.co.uk/hp/v8/pegwit.htm

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[stef]

On Sun, Aug 25, 2013 at 08:13:51AM -0400, Matthew Orgass wrote:
 On 2013-08-25 alser...@inbox.ru wrote:
 On Sat, 24 Aug 2013, Krisztián Pintér wrote:
 has anybody done something like that already? does it have a name?
 
 There was a ECC program from the previous century that worked as you
 described: the private key was derived solely from the user password.
 
 Seccure: http://point-at-infinity.org/seccure/

i 3 seccure. the lack of a good kdf was easily fixed with scrypt.

 It could even do ECDH.
 I wish there were more simple command line crypto utilities.

good memories. so i just added ECDH also to my new tool:
https://github.com/stef/pbp

which is based on libsodium, based on nacl. also i created a new wrapper for
python, pysodium:
https://github.com/stef/pysodium

hope you enjoy and play around with simple command line crypto utilities.

-- 
pgp: https://www.ctrlc.hu/~stef/stef.gpg
pgp fp: FD52 DABD 5224 7F9C 63C6  3C12 FC97 D29F CA05 57EF
otr fp: https://www.ctrlc.hu/~stef/otr.txt
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[Alexander Klimov]

On Sat, 24 Aug 2013, Krisztián Pintér wrote:
 has anybody done something like that already? does it have a name?

There was a ECC program from the previous century that worked as you 
described: the private key was derived solely from the user password. 
Unfortunately, I cannot recall its name (and I suspect it already 
vanished from the net since it was not secure due to its use of EC 
over binary composite field, Weil descent attack), but I guess someone 
here remembers its name, since at that time it was a rare example of 
ECC software.

Btw, this memorable private key technique has nothing to do with IBE, 
since no trusted third party is required.

-- 
Regards,
ASK___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[Matthew Orgass]

On 2013-08-25 alser...@inbox.ru wrote:

On Sat, 24 Aug 2013, Krisztián Pintér wrote:

has anybody done something like that already? does it have a name?


There was a ECC program from the previous century that worked as you
described: the private key was derived solely from the user password.


Seccure: http://point-at-infinity.org/seccure/

It doesn't do any key stretching plus has a number of implementation 
problems, but I used it a little for backups until it corrupted some and I 
found the scrypt utility.  Seccure seemed nice from a usability 
perspective other than that you couldn't quite decrypt and pipe the result 
to less reliably.  There were command line arguments for curve and MAC 
length that you just had to get right or it didn't work.  It could even do 
ECDH.


I wish there were more simple command line crypto utilities.

-Matt___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[Natanael]

Bitcoin Brainwallet software creates ECDSA keys that you can use for
multiple purposes, not only for Bitcoin.

A link to Phidelius, which was previously mentioned:
http://dankaminsky.com/2012/01/03/phidelius/

---

I would like to see some standardized hierarchial deterministic scheme
to generate various types of keys from a master password. Here's my
idea for how you could do it in a reasonably secure way (assuming the
master password is chosen in a secure manner and used in a secure
manner);

First of all you have a master password, of course. Ideally it
should be generated randomly (represented to you as words, diceware
style), but arbitary user input is accepted. First you run scrypt (or
bcrypt?) on the master password, salted with a standard string,
generating a master seed.
From this you can generate several different outputs. One of them is
used to generate a number of master keys (RSA, ECDSA, or whatever
else you want) through scrypt with another specific salt from that
master seed. To make sure it's deterministic you use specific
algorithms with predefined parameters. For example ECDSA with the
parameters that Bitcoin uses (we can take this code straight from a
Bitcoin brainwallet generator), or some specific parameters for RSA
4096 bits, or even a specific Lamport scheme implementation. Each
algorithm + parameter combination would be referred to with it's own
specific name.

The master seed is also used to generate a number of temporary seeds
(with scrypt on the master seed plus a special string plus a counter,
and you need to remember this counter once you've started to revoke
and replace old temporary seeds). The temporary seeds are presented to
you encoded as a series of words so you do not need to use your master
password everywhere. They are then used to create a set of temporary
keys in the same way.
You can use your master key(s) to revoke temporary keys. How long you
should use each temporary seed and it's keys is up to you - for
example you could use each for one year, or maybe even just for one
day.

When you enter your master password the client generates a bunch of
these keys and signs the subkeys with the master key(s), allowing you
to publish all those signatures at once, and them memorize the first
temporary seed. It also generates a revocation signature for the
master key(s) themselves that you can publish if/when needed. Then you
can go on using those temporary keys, and be fairly calm about using
the temporary keys as every key is revokable (although revocation
notifications don't always travel fast, which can be a problem...).

Of course this fails catastrophically if you use bad passwords or if
they leak, so I probably would not recommend this for anybody other
than a person who do not have long-term access to any reliable form of
storage, for example a person who are forced to continously ditch
their old electronics and trash it and switch to new temporary
devices.

If you can generate AND remember strong passwords, then it would work
fine. But the problem is that most people fails at one or both of
those two, even though you CAN learn to do it.

2013/8/25 Alexander Klimov alser...@inbox.ru:
 On Sat, 24 Aug 2013, Krisztián Pintér wrote:
 has anybody done something like that already? does it have a name?

 There was a ECC program from the previous century that worked as you
 described: the private key was derived solely from the user password.
 Unfortunately, I cannot recall its name (and I suspect it already
 vanished from the net since it was not secure due to its use of EC
 over binary composite field, Weil descent attack), but I guess someone
 here remembers its name, since at that time it was a rare example of
 ECC software.

 Btw, this memorable private key technique has nothing to do with IBE,
 since no trusted third party is required.

 --
 Regards,
 ASK
 ___
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/mailman/listinfo/cryptography

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] no-keyring public

[Krisztián Pintér]

hi list,

i had an epiphany today, and i wonder if such a thing already exists or not.

so the usual thing is to create a key pair, store the private key encripted 
with a password. we automatically get a two factor authentication, we have a 
know and a have. okay, but what if we don't want this, and we want our old 
password only, no keyring approach?

we can do that. how about this? stretch the password with some KDF, derive a 
seed to a PRNG, and use the PRNG to create the the key pair. if the algorithm 
is fixed, it will end up with the same keypair every time. voila, no-keyring 
password-only public key cryptography.

do you see any downsides to that, besides the obvious ones that follow from the 
no-keyring requirement? (slow, weak password.)

has anybody done something like that already? does it have a name?


regs,
Krisztián

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[William Yager]

On Aug 24, 2013, at 11:30 AM, Krisztián Pintér pinte...@gmail.com wrote:

 we can do that. how about this? stretch the password with some KDF, derive a 
 seed to a PRNG, and use the PRNG to create the the key pair. if the algorithm 
 is fixed, it will end up with the same keypair every time. voila, no-keyring 
 password-only public key cryptography.
 
 do you see any downsides to that, besides the obvious ones that follow from 
 the no-keyring requirement? (slow, weak password.)

You mean like a Bitcoin brain wallet? 

And yes, the downside is that they're very susceptible to brute force attacks. 
I suppose this is more the case with Bitcoin wallets than with other signature 
schemes.

Will



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[Jeffrey Goldberg]

Szervusz Kristián.

On August 24, 2013 at 11:29:57 AM, Krisztián Pintér (pinte...@gmail.com) wrote:
so the usual thing is to create a key pair, store the private key encripted 
with a password. we automatically get a two factor authentication, we have a 
know and a have. 
Yep. We need both the private key file and the password to decrypt it. I’ve 
called this “one and a half factor” at times.

how about this? stretch the password with some KDF, derive a seed to a PRNG, 
and use the PRNG to create the the key pair. if the algorithm is fixed, it will 
end up with the same keypair every time. voila, no-keyring password-only public 
key cryptography. 
I’m not sure why this would be preferable to simply storing the password 
protected private key in a public place. It has the identical benefits in that 
the user doesn’t need to maintain and copy their private key from place to 
place, and it shares the same basic problem (you need a very good KDF and 
password), but it introduces other problems:

1. In your system the KDF for creating the seed to PRNG can’t be salted. And so 
two people with the same password will end up with the same key pair. (You 
could store the salt in some public place, but if you are doing to do that, you 
might as well store the encrypted private key.)

2. You can’t change your password without changing your key pair. (Though 
password changes don’t do a lot of good with the current system either.)

3. Key generation is slow and complex, presenting a greater opportunity for 
side channel attacks.

4. This means that we can never improve key generation. The particular 
heuristics that are used know with the identical parameters are things things 
that we will be stuck with.

5. Key generation is slow (as you mentioned)

If your goal is to not have to have people keep track of their private key 
files, I’m not sure that this is a good way to do that. (Though I recently 
encountered this problem. I didn’t have my private keys on my “travel” laptop. 
I thought I’d saved them in my password manager, but it turns out I’d only 
saved the public keys.)

Szia,

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[Krisztián Pintér]

adjisten :)

 1. In your system the KDF for creating the seed to PRNG can’t be
 salted. 

nope, it can't be.

 And so two people with the same password will end up with
 the same key pair.

for this reason, and others, a really strong key phrase is needed for that 
reason. this is definitely a problem, but it is a problem that i believe 
follows from the no-keyring requirement. i see no way around it.

 3. Key generation is slow and complex, presenting a greater
 opportunity for side channel attacks.

that is also a problem, since the algo probably needs to be implemented and 
executeed in a lot of places. otherwise, why no keyring? it is less of a 
problem if we have widely used high quality software libraries.

 4. This means that we can never improve key generation.

we can. we can incorporate any easy to remember information in the key 
generation process. like version number, purpose, etc. it is technically part 
of the password, except does not have to be hard to guess. quite the opposite, 
it has to be straightforward to remember. kinda like i choose SSH1, SSH2 RSA, 
SSH2 DSA in puttygen.

as a weird approach, the program can even try to guess these. it can try to 
generate keypairs with different settings, and see which results in the proper 
public key.

 If your goal is to not have to have people keep track of their
 private key files, I’m not sure that this is a good way to do that.

do you see any weaknesses in this proposal that does not apply to all 
keyring-less, single-factor, pure-pwd approaches?

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[Krisztián Pintér]

 Can it not? A distributed store for salts seems possible...

but then distributed keyring is also possible, is it not?




___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[Jeffrey Goldberg]

On August 24, 2013 at 1:41:27 PM, Ben Laurie (b...@links.org) wrote:

On 24 August 2013 19:14, Krisztián Pintér pinte...@gmail.com wrote:

 1. In your system the KDF for creating the seed to PRNG can’t be
 salted.

nope, it can't be.

Can it not? A distributed store for salts seems possible...
OK, “can’t” was too strong of a word. But it appears to me that any mechanism 
for delivering the salts might as well just deliver the encrypted private key. 
And such a system would undermine the original intent (as I understand it) of 
the proposal.

That is, if I understand the original intent it is so that the user doesn’t 
need to carry their (encrypted) public key with them. All they ever need to 
know is their password.  If they need to know their password and their salt, 
then either

(1) that salt gets distributed when they needed it, or

(2) they need to carry the salt with them

In either case, there is no advantage (unless I’ve missed some point) in just 
distributing/managing the salt over distributing/managing the encrypted private 
keys.

Cheers,

-j
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[Ben Laurie]

On 24 August 2013 19:55, Krisztián Pintér pinte...@gmail.com wrote:


  Can it not? A distributed store for salts seems possible...

 but then distributed keyring is also possible, is it not?


Yes. Or at least cloud storage for secrets.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[Krisztián Pintér]

aha, i'm not that original after all. my attention was called to Dan Kaminsky's 
Phidelius too.



 It's very similar (as Greg Rose noted) to IBE, and thus pretty much what I 
 did in:

 http://middleware.internet2.edu/pki05/proceedings/callas-conventional_ibe.pdf



___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] no-keyring public

[James A. Donald]

On 2013-08-25 7:58 AM, James A. Donald wrote:

On 2013-08-25 2:30 AM, � wrote:

hi list,

i had an epiphany today, and i wonder if such a thing already exists 
or not.


so the usual thing is to create a key pair, store the private key 
encripted with a password. we automatically get a two factor 
authentication, we have a know and a have. okay, but what if we 
don't want this, and we want our old password only, no keyring approach?


we can do that. how about this? stretch the password with some KDF, 
derive a seed to a PRNG, and use the PRNG to create the the key pair. 
if the algorithm is fixed, it will end up with the same keypair every 
time. voila, no-keyring password-only public key cryptography.


do you see any downsides to that, besides the obvious ones that 
follow from the no-keyring requirement? (slow, weak password.)


has anybody done something like that already? does it have a name?




Attacker applies dictionary attack.

To avoid dictionary attack, use zero knowledge passphrase proof 
(ZKPP)to obtain passphrase authenticated key agreement with a server 
(for which the acronym is PAKE, not PAKA as one might expect)


Server supplies a unique salt, derived from the server's secret and 
the user login, with the user combines with his passprhase


If user has strong passphrase, server cannot guess user's secret key

If user has weak passphrase, server, but not eavesdropper, can 
reconstruct secret key by dictionary attack.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography