Thanks for that. As to why it is a good idea, consider for example encrypted zip files sent to various people. The big danger with encryption is that keys will be lost, and thus the data. So as well as encrypting with a symmetric pass phrase, that phrase can be wrapped in a public key (which requires a cert). But now we have the problem of the private key, key stores etc. Easy for an PKI expert, but not for a simple user. How much simpler a public key pass phrase that can be remembered, written down etc. No Key store to mismanage or loose.
Anthony On Tue, Feb 21, 2012 at 8:47 AM, Wim Lewis <w...@omnigroup.com> wrote: > > On Feb 17, 2012, at 5:05 PM, anthony berglas wrote: > > Taking a different slant, is it possible to provide the "Entropy" using > a pass phrase. So a given pass phrase will always generate the same key > pair. This means that for simple applications no key store is required. > Much like password based (symmetric) encryption. > > > > Any ideas as to how hard that would be to do with Open SSL? Has anyone > else done it? > > > I dimly remember seeing schemes and specifications for doing roughly that, > although I can't find a reference for one offhand[1]. All the entropy is > provided upfront and the secret key parameters are derived from it in a > well-defined deterministic way. AIUI the intent is to allow the RNG and PKC > implementations to be validated independently (with published test vectors > for the deterministic key-generation step) but presumably you could use it > to derive RSA keys from a password as well. > > (I might be remembering DSA key generation; the secret parameter of a DSA > key doesn't have to have special properties, so you could if you wanted > simply use the output of a PBKDF-like algorithm there?) > > > My question is, has this been done, or would it be easy to do given the > existing structure. > > I don't think it would be hard to do; OpenSSL's rsa_builtin_keygen() is > pretty straightforward and I don't think it relies on any internals not > exposed to users of the library. You could write a version of it that calls > an equivalent of BN_generate_prime_ex() that works deterministically based > on the passphrase. > > Like others, I'm skeptical that this is actually a good idea, but I could > be wrong... > > [1] Some places suggest that X9.31 and/or X9.44 might contain > deterministic algorithms for RSA secret key generation in their appendices, > but I don't have easy access to those. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Dr Anthony Berglas, anth...@berglas.org Mobile: +61 4 4838 8874 Just because it is possible to push twigs along the ground with ones nose does not necessarily mean that that is the best way to collect firewood.
