
Predictable, passphrase-derived PGP keys - zeveb
https://nullprogram.com/blog/2019/07/10/
======
ryan-c
This is a bad idea because if you can generate your key from a passphrase,
everyone else in the world can do so also. This tool "helpfully" tags all keys
it generates (via timestamp = 0) to announce the potential vulnerability.

Yes, this implementation uses the user id as a salt to prevent lookup tables
from being built.

Yes, this implementation uses aggressive KDF settings to deter this sort of
attack.

People are still really bad at choosing passwords and passphrases. They often
pick phrases from obscure, but public, sources, thinking they're clever.

When the "let's derive asymmetric keys from a passphrase" idea was applied to
cryptocurrencies the results were catastrophically bad. I gave a talk at
DEFCON about this four years ago:

[https://www.youtube.com/watch?v=foil0hzl4Pg](https://www.youtube.com/watch?v=foil0hzl4Pg)

There are some marginally valid use cases for keys that can be memorized, but
for those cases, tools should offer opinionated passphrase generation tools
that make it impractical to pick a bad passphrase. A simple way to do this
would be to require that e.g. the first x bits (10 to 16 probably?) of
sha256(passphrase) are zero, and bundle a tool that takes in a wordlist, an
output passphrase strength, and user provided entropy (to be combined with
system entropy for users who don't trust the system csprng), and spit out a
compliant diceware-style passphrase.

------
zaarn
>Fun fact: Two different primary keys can have the same subkey. Anyone could
even bind any of your subkeys to their primary key! They only need to sign the
public key! Though, of course, they couldn’t actually use your key since
they’d lack the secret key. It would just be really confusing, and could,
perhaps in certain situations, even cause some OpenPGP clients to malfunction.

Can't wait for the next time someone clogs up the SKS system and tells us that
GPG is terrible and the PGP ecosystem is essentially in a state of eternal
trashfire, only to be told by the GPG wizards that everything is fine and
working as intended, it will be fixed anyway by that one guy that volunteered
on the mailing list to do it, they assure us.

Man, where would we be without the people that defend GPG? Possibly in a world
with easy-to-use mail cryptography solutions but who wants that?

Otherwise this was a very interesting blogpost, I should probably upgrade my
GPG keys at some point, considering they primar keys have been floating
unencrypted into various public spaces.

~~~
georgyo
I don't think anyone complains about the format of PGP encrypted files or
signatures. The protocol itself is just fine. All the exploits are in the key
distribution or presentation layer.

e-fail is good example of a presentation failure. It has very little to do
with PGP or GPG itself, but instead failures to adequately separate the
output.

You have a few choices for key distribution.

1\. A walled garden like keybase. 2\. A distributed trust model like the web
of trust. 3\. A bunch of web servers with no proof the key has not been
tampered with.

All of them have benefits and flaws.

~~~
megous
4\. DNS (sort of a walled garden, yes)

5\. Adding a fingerprint to all e-mails you send out (people online you never
met/meet only know you by your online behavior anyway) so cross-checking a few
mailing list archives the user posted to in the last few years should be
enough. This is most useful if you are subscribed and can be thus sure that
the archive was not manipulated.

~~~
Boulth
> 4\. DNS (sort of a walled garden, yes)

IMHO, Web Key Directory is a better option here. It has all benefits of DNS
but none of the drawbacks (DNS has plain text queries etc.)

~~~
megous
Very nice.

Both DNS and WKD are real-time, and modifiable by an attacker. There's no
trail of trust/history. It may be good for discovery, but trusting the key
requires more.

I guess that it's better to have multiple independent ways to validate
ownership of a key after you discover it. Cross-check various methods that
require different levels of access, to see if something is fishy.

Anyway, I'm off to implement wkd. :)

------
summitto
This is awesome work. My team implemented something similar but more powerful,
a PGP packet library: [https://github.com/summitto/pgp-packet-
library](https://github.com/summitto/pgp-packet-library)

We were looking for a solution like this but with more flexibility and power.
Using our library you can generate PGP keys using any key derivation mechanism
for a large variety of key types!

------
Scaevolus
I personally find Diceware passwords unfriendly, so I made my own passphrase
generator: [https://rmmh.github.io/abbrase/](https://rmmh.github.io/abbrase/)
(has an offline mode too)

Here's two sentences picked from a batch of 32 for a 120 bit security factor
that I think the average person could memorize with a few minutes of effort:

know why rod signifies eight nodes

middle crude tissue clearly said Sultan

