[WIP] Deterministic file and bucket keys

[cpollard1001]

Deterministic file and bucket key description.

[super3]

This is just deterministic correct? So this should be getDBucketKey not getHDBucketKey.

[cpollard1001]

It's still hierarchical in the sense that you have the seed -> bucketKey -> fileKey and sharing the bucketKey gives you access to all its fileKeys, but not access to the seed. Right?

[braydonf]

Right, wasn't there also a process of determining the fileId? This may be separate SIP for generating a merkle root hash from all of the shards for the fileId.

[cpollard1001]

Yeah, that should probably be a separate SIP. It will depend on whether the benefits of doing that outway the convenience of being able to lookup an entry directly by user id, bucket name, and file name.

[super3]

Same here.

[braydonf]

I think it would be useful to include some rationale for why pbkdf2 is used here against the alternatives.

[cpollard1001]

I agree. I used it mainly because is already used in CipherKeyIV. Since we are hashing long, generated passwords, not weak user provided passwords, just about any hash would probably work fine.

[braydonf]

Also is the mnemonic converted to a seed? And that seed used? It may also be useful to separate the mnemonic from derivation. e.g. A master secret, which all symmetric keys are derived. And there is a process of generating master secret from a mnemonic.

[cpollard1001]

Right now, I'm using the mnemonic directly because it's simpler to implement. I can't think of any downsides to doing it that way since pbkdf2 can take arbitrarily long passwords. We could hash the mnemonic and store that, but then there wouldn't be an easy way to convert that value back to a mnemonic for easier key transfer.

[braydonf]

That sounds more like a long pass phrase than BIP39 ;) For example, the mnemonic last keyword is part of a checksum, and a few other details. The mnemonic can be stored instead of the seed to solve problem of transferring.

[cpollard1001]

Agreed

[braydonf]

I think it would still be a good idea to use BIP38 here, as we may want to have a mnemonic that would be for both encryption and other purposes with BIP32 derivation.

[super3]

That just sounds like just deterministic keys to me. Hierarchical keys
would involve branches of parent and child keys. This proposal only has one
path for key derivation.

On Oct 22, 2016 12:03 PM, "Chris Pollard" notifications@github.com wrote:

@cpollard1001 commented on this pull request.

In sip-deterministickeys.md #8:

+Currently, all keys are generated randomly on a per-file basis and stored encrypted in the user's keyring. This does not allow any easy way for a user to syncronize keys across devices. To do this currently, it would require either trusting the bridge with keyring, creating direct connections between devices, or introducing a new asymmetric encryption scheme. None of these are easily implemented.
+
+This proposal allows users to syncronize keys simply by typing a twelve word mnemonic into each new device. This seed will allow users to generate all of their keys deterministically for any future bucket or file.
+
+Secondly, there is no way to make a future-proof offline backup. A backup storage device would have to constantly be updated with the latest version of the keyring. This could compromise the backup's security.
+
+Finally, users might want to grant other users access to all the files in a bucket. Currently, this would require all file keys to be sent to the target, which would be difficult to manage. This proposal introduces bucket keys which can be used to deterministically calculate all of the file keys in a bucket. A user could share this bucket key with another user so that they can encrypt or decrypt any file in a bucket, or share it with the bridge to make an entire bucket public.
+
+Specification
+-------------
+
+Generate a twelve word mnemonic according to BIP 39 which gives 132 bits of entropy. This mnemonic will be encrypted into the keyring using the keyring's standard method of encryption. The bucket key is generated using pbkdf2 using the mnemonic as the password, the bucket id as the salt, and other settings already used by DataCipherKeyIv. The file key is generated similarly using the bucketKey as the password and fileId as the salt. This file key then becomes the secret password to a new DataCipherKeyIv.
+
+```javascript
+DataCipherKeyIv.getHDBucketKey = function(mnemonic, bucketId){

It's still hierarchical in the sense that you have the seed -> bucketKey
-> fileKey and sharing the bucketKey gives you access to all its fileKeys,
but not access to the seed of course. Right?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#8, or mute the thread
https://github.com/notifications/unsubscribe-auth/AADuL0HebxCxFz6H2Rj0_caSEMPH6Znaks5q2jOsgaJpZM4Kd1WN
.

[super3]

Doesn't look like this is going to be finished or maintained. Closing.