Re: Death of PGP Key 0xFBAF5E44 at 19:03 02 Jan 1999 UTC

Anonymous (nobody@replay.com)
Sun, 3 Jan 1999 19:39:37 +0100

• Next message: Raph Levien: "Re: Death of PGP Key 0xFBAF5E44 at 19:03 02 Jan 1999 UTC"
• Previous message: your-automated-homework-helper!@gullible.net: "QuickEmail, A Web-based E-mail message"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: Anonymous: "Re: Death of PGP Key 0xFBAF5E44 at 19:03 02 Jan 1999 UTC"

...
> This is a plug, but it's taken at the most opportune time I can imagine.
> If PGP used elliptic curve PK you wouldn't have this problem. Your
> verification can be regened by hashing your pass phrase. That's not the
> same as being unlocked, it's being recreated. From your wetware. If that
> goes, all your data is lost too.

The same can be done with any public-key cryptosystem -- DH, DSS, whatever --
provided you trust some symmetric cipher (if you don't, don't use PGP :). Use
the passphrase to key a stream cipher or feedback-mode block cipher; the
resulting keystream can be used in prime generation as if it were the random
number generator's output. If you want to store p and q for convenience (i.e.,
so you don't have to regenerate them every time), you can siphon off a kilobyte
or so of stream before the prime generation, XOR it with the private key once
the key's generated, and store that.

When it's time to use the key, you regenerate the KB of stream from the
passphrase and use it to reverse the XOR, and when your computer crashes, you
just go through the whole process from the start on your new computer; same
passphrase -> same private key. Using the stored key doesn't take any longer
than using any other encrypted stored key, nor does regenerating it take
noticeably longer than a normal key generation.

However, that approach has its disadvantages. It's been said that a combination
of "something you have" (in this case, a key based on computer-generated
randomness) and "something you know" (in this case, the passphrase) is better
than either "something you have" or "something you know" alone, and I agree.

P'r'aps distributing secret random numbers to trusted friends and them XORing
them together with the hashed passphrase (or something similar using k-of-n
secret-sharing) would be a Good Thing. That way, it's "something you or your
friends have" and "something you know," which should allow fairly easy key
regeneration after a crash without adding so severe a rubber-hose risk.

>
> One major advantage of being able to carry around your verification in your
> head is that you can create your secret key on any machine. That's also
> dangerous for the unaware, but in this case you could have recoverd most of
> your data and not have had to send the message.
>
> Patience, persistence, truth,
> Dr. mike

• Next message: Raph Levien: "Re: Death of PGP Key 0xFBAF5E44 at 19:03 02 Jan 1999 UTC"
• Previous message: your-automated-homework-helper!@gullible.net: "QuickEmail, A Web-based E-mail message"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: Anonymous: "Re: Death of PGP Key 0xFBAF5E44 at 19:03 02 Jan 1999 UTC"