Using a password as a private key.
‚‚‚‚Assymetic crypto systems such as Diffie-Hellman, El-Gamel, and DSS, allow the private key to be a randomly chosen number. ‚But, as a cute hack, instead of using a random number, for the private key, you could use a hash of the User Name, and a password. Doing so allows the users to generate their private key on demand. They don't have to store the private key, and if they want to work on a another computer, they don't need to bring along a copy.‚ Has any one tried this? Is there existing software that does this? Any comments on the security of such a scheme? ‚ The only draw back that I can think of is the potential lack of randomness in the key. If the user chooses a bad password, it would be possible to brute force the public key.‚ Harv.‚‚RedRook@yahoo.com‚‚‚‚‚‚‚‚ _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
‚‚‚‚Assymetic crypto systems such as Diffie-Hellman, El-Gamel, and DSS, allow the private key to be a randomly chosen number. ‚But, as a cute hack, instead of using a random number, for the private key, you could use a hash of the User Name, and a password.
That has been proposed in the context of elliptic curve cryptography where the keys don't need much entropy. I think George Barwood's pegwit works that way. I don't like the idea though. You're giving everybody the chance to run a password guessing attack on your secret key.
On Wed, 28 Oct 1998, Ulf [iso-8859-1] Möller wrote:
I don't like the idea though. You're giving everybody the chance to run a password guessing attack on your secret key.
That was my first objection too.. But the only thing stopping an attacker from running the same attack on my PGP key is that they don't _have_ my PGP key.. a non-issue for a dedicated attacker. My 1024 bit private key could be had fairly easily, it would entail hacking my PC, or stealing.. whatever. Now they run a password cracker. In the case of the private key being generated from a passphrase, hacking my PC, or stealing it, does them no good .. my private key isn't there .. (ok, maybe it is.. data remanence is a pain in ass.. but you get the point). Lastly .. I am not too familiar with elliptic curve crypto, but it seems to me that running a cracker on a phrase, and then generating the private key from it or trying signatures is going to be more CPU intensive than doing a few blocks of IDEA or CAST, so it would seem to follow that this scheme is stronger in preventing an intelligent search of the passphrase. Michael J. Graffam (mgraffam@idsi.net) "..subordination of one sex to the other is wrong in itself, and now one of the chief hindrances to human improvement.." John Stuart Mill "The Subjection of Women"
-- James Donald's "Crypto Kong" system http://catalog.com/jamesd/Kong/ does this. It uses Diffie-Hellman and ElGamal crypto over Elliptic Curves, so it can get away with relatively short keys, 240-255 bits. The secret key is hashed from your passphrase (and/or a keyfile*) Your public key is generated from the secret key and a generator. Because the public keys can be short, there are some real conveniences. You don't need to distribute big clunky keys in a keyserver; 255 bits is just 43 characters of base-64, so you can put it in your mail signatures and on your business cards. Kong takes an interesting approach to key certification and signatures - it doesn't use the "True Name" model with a Certificate Authority Trusted Third Party Subject To Many Government Regulations certifying that the person who has this key has that True Name. Instead, you sign messages, and it keeps a database of signed messages from people, and you can compare a message you have with a message you've received previously to see if it's signed by the same key, and you can send encrypted messages to the person who sent you a previous message. If you want to do the equivalent of signing a key, you just sign a message including someone else's message, maybe adding commentary (which is hard to do in PGP.) Here's an example: -- 2 Dear Carol I've known Bob for a long time, and he's probably not an FBI plant. Here's a copy of his business card. Alice -- Bob Dobbs, Sales, PO Box 140306, Dallas TX 75214 http://subgenius.com/bigfist/pics2/logoart/dobbs3x45.GIF --digsig Bob F9KBGIfyizpoyo8i8NS/Dqe/eP4WVNcXcRJuS14QPXn N9Cm/pDw8sgVDMj8f3upNmp1pSE3rSj0atQuF7Jt 4RgxEDpUxK1DVzBejpH3qqvrqcY2+8M+pSXFB0LLG --digsig Alice 9Xjp1N+QDtXR9Mw1S0gJTnwliGM3rQpuzdogeqOLqii ckd5NlB2nGrQHe4TSMSDd791WEq64XCotsYG0oiZ 4W3Yi4QBCgYC0SnORJFesTOcbCsmGsEnXZRCVrsou and you can go compare Alice's signature with the one she gave you at the Prop 215 Bake Sale. On the other hand, "work on another computer" is a dangerous phrase. If it's another of _your_ computers, fine, but otherwise how do you trust that the copy of Kong or PGP or whatever you're running is the real thing, or that it's not saving your passphrase from the keyboard driver, or all the usual threats. Those threats are somewhat true with your own computer, but there you not only have some control over the machine, you know that if Bad Guys have cracked it, your data is hosed anyway :-) [ * The Kong keyfile of might-as-well-be-random bits which gives you entropy, and makes the system usable in environments where passphrases aren't convenient, such as unattended batch mail decryption done in remailers. You can either use just the passphrase, use just the keyfile, or use both.] At 01:53 PM 10/27/98 -0800, RedRook <redrook@yahoo.com> wrote, approximately,
Asymmetric crypto systems such as Diffie-Hellman, El-Gamal, and DSS, allow the private key to be a randomly chosen number. But, as a cute hack, instead of using a random number, for the private key, you could use a hash of the User Name, and a password.
Doing so allows the users to generate their private key on demand. They don't have to store the private key, and if they want to work on another computer, they don't need to bring along a copy. Has any one tried this? Is there existing software that does this? Any comments on the security of such a scheme? The only draw back that I can think of is the potential lack of randomness in the key.
--digsig Bill Stewart <bill.stewart@pobox.com> 3k3eg3jOiy57hhibcg9SkKVwkCUw7ivtVjJBm2E0WIC 1IidMTkWR0QwVsOPeyEgQ7wdKKVtka99jziuLfOs 4VIpwv6kNvAPJdk49JEtprvCnxTBrNSyViHqgxqGc
Some people have been talking about using passwords as private keys. (By using the passphrase as seed material for regenerating the private and public key). I don't think this is a good idea. You can't forget passphrases. You can destroy private key files. Therefore you open yourself up to coercion, and forward secrecy is not possbile with these schemes. This means it is less secure. The other reason it is less secure others commented on: you provide an open target for dictionary attacks. I wouldn't want to do that, even with high entropy passphrase, it loses one important line of defense: unavailability of private key file. Adam
At 4:20 PM -0500 10/29/98, Adam Back wrote:
Some people have been talking about using passwords as private keys. (By using the passphrase as seed material for regenerating the private and public key).
I don't think this is a good idea.
You can't forget passphrases. You can destroy private key files.
Yes, you can. I had an art director forget his 4 days running, AFTER LUNCH. He remembered it in the morning, but after lunch he couldn't. It wasn't a "passphrase" either, it was a _very_ weak password. -- "To sum up: The entire structure of antitrust statutes in this country is a jumble of economic irrationality and ignorance. It is a product: (a) of a gross misinterpretation of history, and (b) of rather naïve, and certainly unrealistic, economic theories." Alan Greenspan, "Anti-trust" http://www.ecosystems.net/mgering/antitrust.html Petro::E-Commerce Adminstrator::Playboy Ent. Inc.::petro@playboy.com
Petro <petro@playboy.com> writes:
You can't forget passphrases. You can destroy private key files.
Yes, you can. I had an art director forget his 4 days running, AFTER LUNCH. He remembered it in the morning, but after lunch he couldn't.
With the kind of "memory aid" we were talking about here (legal threat, 1 years imprisonment for contempt to aid memory, perhaps torture) he might just have remembered it. If he didn't he'd likely get a year or so to try remember it in prison on contempt charges for not handing it over. Deleting keys on the other hand, contempt would be a waste of time, you're never going to remember what you don't know, and they ought to convincable of this if you can show the software documentation describing forward secret key material deletion.
It wasn't a "passphrase" either, it was a _very_ weak password.
Also note that it is not necessary to remember the password precisely, just narrow the search space down to provide a viable dictionary attack of 56 bits or whatever. The art directors password sounds like it was already below that. Adam -- print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
participants (6)
-
Adam Back -
Bill Stewart -
mgraffam@idsi.net -
Petro -
RedRook -
ulf@fitug.de