Re: weak key check?

2012-02-20 Thread anthony berglas 
Thanks for that.

As to why it is a good idea, consider for example encrypted zip files sent
to various people.  The big danger with encryption is that keys will be
lost, and thus the data.  So as well as encrypting with a symmetric pass
phrase, that phrase can be wrapped in a public key (which requires a cert).
 But now we have the problem of the private key, key stores etc.  Easy for
an PKI expert, but not for a simple user.  How much simpler a public key
pass phrase that can be remembered, written down etc.  No Key store to
mismanage or loose.

Anthony

On Tue, Feb 21, 2012 at 8:47 AM, Wim Lewis w...@omnigroup.com wrote:


 On Feb 17, 2012, at 5:05 PM, anthony berglas wrote:
  Taking a different slant, is it possible to provide the Entropy using
 a pass phrase.  So a given pass phrase will always generate the same key
 pair.  This means that for simple applications no key store is required.
  Much like password based (symmetric) encryption.
 
  Any ideas as to how hard that would be to do with Open SSL?  Has anyone
 else done it?


 I dimly remember seeing schemes and specifications for doing roughly that,
 although I can't find a reference for one offhand[1]. All the entropy is
 provided upfront and the secret key parameters are derived from it in a
 well-defined deterministic way. AIUI the intent is to allow the RNG and PKC
 implementations to be validated independently (with published test vectors
 for the deterministic key-generation step) but presumably you could use it
 to derive RSA keys from a password as well.

 (I might be remembering DSA key generation; the secret parameter of a DSA
 key doesn't have to have special properties, so you could if you wanted
 simply use the output of a PBKDF-like algorithm there?)

  My question is, has this been done, or would it be easy to do given the
 existing structure.

 I don't think it would be hard to do; OpenSSL's rsa_builtin_keygen() is
 pretty straightforward and I don't think it relies on any internals not
 exposed to users of the library. You could write a version of it that calls
 an equivalent of BN_generate_prime_ex() that works deterministically based
 on the passphrase.

 Like others, I'm skeptical that this is actually a good idea, but I could
 be wrong...

 [1] Some places suggest that X9.31 and/or X9.44 might contain
 deterministic algorithms for RSA secret key generation in their appendices,
 but I don't have easy access to those.


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




-- 

Dr Anthony Berglas, anth...@berglas.org   Mobile: +61 4 4838 8874
Just because it is possible to push twigs along the ground with ones nose
does not necessarily mean that that is the best way to collect firewood.

Re: weak key check?

2012-02-19 Thread anthony berglas 
Exactly.  So you need about 112 bits of entropy / Pass Phrase to generate
a good 2048 bit key.  Remember that the vast majority of 2048 bit numbers
are not valid key pairs.

My question is, has this been done, or would it be easy to do given the
existing structure.

Anthony

On Mon, Feb 20, 2012 at 2:49 AM, Dr. Stephen Henson st...@openssl.orgwrote:

 On Sat, Feb 18, 2012, Edward Ned Harvey wrote:

   From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
   us...@openssl.org] On Behalf Of anthony berglas
  
   Taking a different slant, is it possible to provide the Entropy
 using a
  pass
   phrase.  So a given pass phrase will always generate the same key pair.
   This
   means that for simple applications no key store is required.  Much like
   password based (symmetric) encryption.
  
   Any ideas as to how hard that would be to do with Open SSL?  Has anyone
   else done it?
 
  You want at least 2048 bits of entropy.  That's a very long passphrase.
  Also, unless you randomly generate your passphrase in hex or binary, it's
  bound to be a lot less than 2048 bits of entropy even if it's 2048 bits
  long.
 

 It depends on the key length and the algorithm in question. For example
 for an
 2048 bit RSA key the equivalent comparable security strength is 112 bits
 (see
 SP800-57 et al).

 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




-- 

Dr Anthony Berglas, anth...@berglas.org   Mobile: +61 4 4838 8874
Just because it is possible to push twigs along the ground with ones nose
does not necessarily mean that that is the best way to collect firewood.

Re: weak key check?

2012-02-17 Thread anthony berglas 
Taking a different slant, is it possible to provide the Entropy using a
pass phrase.  So a given pass phrase will always generate the same key
pair.  This means that for simple applications no key store is required.
 Much like password based (symmetric) encryption.

Any ideas as to how hard that would be to do with Open SSL?  Has anyone
else done it?

Anthony

2012/2/17 Richard Könning richard.koenn...@ts.fujitsu.com

 Am 16.02.2012 12:17, schrieb Jakob Bohm:


 2. Creating primes starts with high quality random numbers,
 such that there are a gigantic number of possible primes.
 If done correctly (like in current OpenSSL versions), the
 chance of choosing the same prime as somebody else is
 extremely low (again, I hope someone else on this list can
 come up with the numbers for general enlightenment).


 Well, seeding the PRNG correctly seems not to be a trivial task,
 see e.g. 
 http://eprint.iacr.org/2012/**064.pdfhttp://eprint.iacr.org/2012/064.pdfand
 https://freedom-to-tinker.com/**blog/nadiah/new-research-**
 theres-no-need-panic-over-**factorable-keys-just-mind-**your-ps-and-qshttps://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs
 .
 Ciao,
 Richard

 __**__**__
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




-- 

Dr Anthony Berglas, anth...@berglas.org   Mobile: +61 4 4838 8874
Just because it is possible to push twigs along the ground with ones nose
does not necessarily mean that that is the best way to collect firewood.

Re: Pass phrase based public/private key generation

2012-02-15 Thread anthony berglas 
Hello Ryan,

Thanks for the like.

But this does not need any sophisticated cryptological analysis.  It is
just the standard asymmetric key stuff.

In normal operation, a key is created from bits of Entropy, generally
gathered from the operating system.  All I need to do is replace those bits
of entropy with a hash of the pass phrase.  Everything should work as
before.

And 100 bits of real pass phrase uniqueness should be plenty to generate a
2048 bit RSA key (say) because there are lots of gaps in what a useful key
can be.  We are feeding into the algorithms that search for a big prime
etc.  not modifying the output.

This is really a practical programming issue.  Ideally there would be
options on the SSL command line.  Or it would be easy to use the internal
API to specify entropy (or hopefully someone has already done that).

Regards,

Anthony

On Wed, Feb 15, 2012 at 6:05 PM, Ryan Hurst ryan.hu...@globalsign.comwrote:

 Anthony,

 ** **

 I am not a cryptographer, nor do I play one on TV; however I have read
 papers that talk about models of doing this, I filed these works under the
 category of “neat” because of the applicability limitations and noted
 security risks; with that said I never looked into it in great detail
 myself.

 ** **

 Here is a link I remembered running across recently talking about this
 model:

 ** **


 http://crypto.stackexchange.com/questions/1662/how-can-one-securely-generate-an-asymmetric-key-pair-from-a-short-passphrase
 

 ** **

 Ryan

 *From:* owner-openssl-us...@openssl.org [mailto:
 owner-openssl-us...@openssl.org] *On Behalf Of *anthony berglas
 *Sent:* Tuesday, February 14, 2012 7:38 PM
 *To:* openssl-users@openssl.org
 *Subject:* Re: Pass phrase based public/private key generation

 ** **

 Hello Jeff,

 ** **

 Thanks for that.  But IDE still needs a server and binary secrets to be
 held.  I just want a simple pass phrase based scheme.  It is odd that this
 is not more commonplace.  

 ** **

 Anthony

 ** **

 On Wed, Feb 15, 2012 at 12:36 PM, Jeffrey Walton noloa...@gmail.com
 wrote:

 On Tue, Feb 14, 2012 at 7:53 PM, anthony berglas anth...@berglas.org
 wrote:You might want to read about identity based encryption before making
 

 the jump to 'passphrase - private key'.

 Jeff
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org



 

 ** **

 -- 

 Dr Anthony Berglas, anth...@berglas.org   Mobile: +61 4 4838 8874
 Just because it is possible to push twigs along the ground with ones nose
 does not necessarily mean that that is the best way to collect firewood.**
 **

 ** **




-- 

Dr Anthony Berglas, anth...@berglas.org   Mobile: +61 4 4838 8874
Just because it is possible to push twigs along the ground with ones nose
does not necessarily mean that that is the best way to collect firewood.

Pass phrase based public/private key generation

2012-02-14 Thread anthony berglas 
Hello All,

I want to set up a simple system in which the private key is derived
entirely from a pass phrase.

I.e. the pass phrase provides all the Entropy that is used.  This means
that the private key can be regenerated from the pass phrase at any time,
without needing to maintain a secure key store.

This is analogous to password based encryption for symmetric keys.
 Probably no need to strengthen it much given the cost of public key pair
generation.  Just some salt.

My application is essentially like an encrypting zip program.  But I want
to be able to have a (number of) master keys that can guarantee decryption
if the main symmetric key is lost.

I know that PKI is supposed to be difficult, but I am trying to build a
simple system for non-technical users to use.  They can write down a pass
phrase on a piece of paper (most of them can write).

I could see no way of doing this using the openssl command line.  Has
anyone else done it or something similar?

Thanks,

Anthony

-- 

Dr Anthony Berglas, anth...@berglas.org   Mobile: +61 4 4838 8874
Just because it is possible to push twigs along the ground with ones nose
does not necessarily mean that that is the best way to collect firewood.

Re: Pass phrase based public/private key generation

2012-02-14 Thread anthony berglas 
Hello Jeff,

Thanks for that.  But IDE still needs a server and binary secrets to be
held.  I just want a simple pass phrase based scheme.  It is odd that this
is not more commonplace.

Anthony


On Wed, Feb 15, 2012 at 12:36 PM, Jeffrey Walton noloa...@gmail.com wrote:

 On Tue, Feb 14, 2012 at 7:53 PM, anthony berglas anth...@berglas.org
 wrote:You might want to read about identity based encryption before making
 the jump to 'passphrase - private key'.

 Jeff
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




-- 

Dr Anthony Berglas, anth...@berglas.org   Mobile: +61 4 4838 8874
Just because it is possible to push twigs along the ground with ones nose
does not necessarily mean that that is the best way to collect firewood.