1998-10-29 - Re: Using a password as a private key.

Header Data

From: Bill Stewart <bill.stewart@pobox.com>
To: RedRook <cypherpunks@toad.com
Message Hash: 53b52505c919da251b4d119b5ec7961b5892ccf569750d24d0d571dc66ff1009
Message ID: <3.0.5.32.19981028012129.008334d0@idiom.com>
Reply To: <19981027215307.3786.rocketmail@send1d.yahoomail.com>
UTC Datetime: 1998-10-29 09:06:06 UTC
Raw Date: Thu, 29 Oct 1998 17:06:06 +0800

Raw message

From: Bill Stewart <bill.stewart@pobox.com>
Date: Thu, 29 Oct 1998 17:06:06 +0800
To: RedRook <cypherpunks@toad.com
Subject: Re: Using a password as a private key.
In-Reply-To: <19981027215307.3786.rocketmail@send1d.yahoomail.com>
Message-ID: <3.0.5.32.19981028012129.008334d0@idiom.com>
MIME-Version: 1.0
Content-Type: text/plain



    --
James Donald's "Crypto Kong" system http://catalog.com/jamesd/Kong/ does this.
It uses Diffie-Hellman and ElGamal crypto over Elliptic Curves,
so it can get away with relatively short keys, 240-255 bits.
The secret key is hashed from your passphrase (and/or a keyfile*) 
Your public key is generated from the secret key and a generator.

Because the public keys can be short, there are some real conveniences.
You don't need to distribute big clunky keys in a keyserver;
255 bits is just 43 characters of base-64, so you can put it in 
your mail signatures and on your business cards.

Kong takes an interesting approach to key certification and signatures -
it doesn't use the "True Name" model with a Certificate Authority Trusted 
Third Party Subject To Many Government Regulations certifying that
the person who has this key has that True Name.
Instead, you sign messages, and it keeps a database of signed messages from people,
and you can compare a message you have with a message you've received 
previously to see if it's signed by the same key, and you can 
send encrypted messages to the person who sent you a previous message.  
If you want to do the equivalent of signing a key,
you just sign a message including someone else's message, 
maybe adding commentary (which is hard to do in PGP.)  Here's an example:
	-- 2
	Dear Carol
	I've known Bob for a long time, and he's probably not an FBI plant.
	Here's a copy of his business card.  Alice
    	--
	Bob Dobbs, Sales, PO Box 140306, Dallas TX 75214    
	http://subgenius.com/bigfist/pics2/logoart/dobbs3x45.GIF
	--digsig
         Bob
	F9KBGIfyizpoyo8i8NS/Dqe/eP4WVNcXcRJuS14QPXn
	N9Cm/pDw8sgVDMj8f3upNmp1pSE3rSj0atQuF7Jt
	4RgxEDpUxK1DVzBejpH3qqvrqcY2+8M+pSXFB0LLG
	--digsig
         Alice
	9Xjp1N+QDtXR9Mw1S0gJTnwliGM3rQpuzdogeqOLqii
	ckd5NlB2nGrQHe4TSMSDd791WEq64XCotsYG0oiZ
	4W3Yi4QBCgYC0SnORJFesTOcbCsmGsEnXZRCVrsou

and you can go compare Alice's signature with the one
she gave you at the Prop 215 Bake Sale.

On the other hand, "work on another computer" is a dangerous phrase.
If it's another of _your_ computers, fine, but otherwise
how do you trust that the copy of Kong or PGP or whatever
you're running is the real thing, or that it's not saving your passphrase
from the keyboard driver, or all the usual threats.
Those threats are somewhat true with your own computer,
but there you not only have some control over the machine,
you know that if Bad Guys have cracked it, your data is hosed anyway :-)

[ * The Kong keyfile of might-as-well-be-random bits which gives you entropy, 
and makes the system usable in environments where passphrases aren't convenient,
such as unattended batch mail decryption done in remailers.
You can either use just the passphrase, use just the keyfile, or use both.]

At 01:53 PM 10/27/98 -0800, RedRook <redrook@yahoo.com> wrote, approximately,
>Asymmetric crypto systems such as Diffie-Hellman, El-Gamal, and DSS, 
>allow the private key to be a randomly chosen number. But, as a cute hack, 
>instead of using a random number, for the private key, you could use 
>a hash of the User Name, and a password. 
>
>Doing so allows the users to generate their private key on demand.
>They don't have to store the private key, and if they want to work on
>another computer, they don't need to bring along a copy.
>Has any one tried this? Is there existing software that does this? Any
>comments on the security of such a scheme? 
>The only draw back that I can think of is the potential lack of
>randomness in the key. 

    --digsig
         Bill Stewart <bill.stewart@pobox.com>
     3k3eg3jOiy57hhibcg9SkKVwkCUw7ivtVjJBm2E0WIC
     1IidMTkWR0QwVsOPeyEgQ7wdKKVtka99jziuLfOs
     4VIpwv6kNvAPJdk49JEtprvCnxTBrNSyViHqgxqGc





Thread