[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Memorized secret keys



At 03:16 PM 4/19/96 -0700, Hal <[email protected]> wrote:
>Choose x bits of good random numbers (x defined below), calling it X.
>Seed an MD5 iteration or some other crypto RNG with X and generate
>random starting points for p and q.  Search for the next primes after
>these starting points to get p and q, multiply to get n, and choose the
>first exponent >= 3 or 17 or 65537 (choose by taste) as e.  Burn p and
>q but memorize the random seed X.

An interesting approach; given enough spare computing, the passphrase
is the key.  Remember to transform the passphrase space into some
wide-enough space that it will include a bunch of primes, to avoid
having multiple passphrases generating the same prime.  Primes density
is approximately log n (ln n?), e.g. 1/512 for a 512-bit number,
so a crude approach like using a 128-bit hash as the most significant bits
should do fine.

>The main question is, can x be both long enough that it is not the
>weakest length in factoring, say, a 1024 bit key, while being short
>enough that it can be memorized?
>My guess is that x must be 80-120 bits, somewhere in there.  This would
>be 6 to 9 words chosen from a 16K word list: marginaly doable. 

Almost by definition, you want at least 128 bits, since you'll probably be
using the public key crypto to protect a 128-bit session key.  (Keys for
signatures may need a bit less slack, though I'd still be wary of <90 bits.)
Also, if you're starting by taking an MD5 of the passphrase (after looking up
the words in the dictionary or whatever), you're limited to 128 bits of
entropy; it's probably worth using SHA, or at least picking p from the MD5
and q from the MD5 of the reverse of the passphrase.
#					Thanks;  Bill
# Bill Stewart, [email protected], +1-415-442-2215