State-level security with deterministic PGP keys

Keys

summitto released an open source software library and utility:

These allow anyone to easily generate secure PGP keys with excellent support to backup your keys. In this article, we provide a brief but dense explanation of why we chose to build this. In the next post we will explain to you in depth how to use it.

Pretty Good Privacy

PGP stands for Pretty Good Privacy. Originally created in 1991, it is a protocol with a rich history. [1] Hundreds of hardware and software products allow you to use PGP to encrypt messages and to create digital signatures. You can use it to send encrypted emails, or to prove your identity.

The history of complaints about PGP is just as rich as its usage. [2] PGP was supposed to mark the start of an era in which the world could easily hide their email communications. Unfortunately, the usability of the software lagged behind. By now, the protocol and its implementations are starting to show their age [3] and many excellent alternatives exist. [4] Even its creator Phil Zimmerman moved on to building new encryption protocols. [5]

Still, the fact of the matter is that it currently remains a very useful tool because it is so widely supported. [6] As a startup, we wanted to use its power to the full extent. And we chose to Voice instead of Exit. [7]

We wanted to be able to generate PGP keys deterministically from our own source of randomness and be able to easily backup one master key. We got inspired to pursue this due to the great work of Bitcoin developers on the Bitcoin Improvement Proposal 32 [BIP32]. [8] Before this proposal was developed, users were expected to generate and back up a random key every time they wanted to receive Bitcoin. This made it very hard to maintain an up-to-date and secure backup of all your keys! PGP suffers a similar problem, the process of creating, updating, revoking and storing your keys is complex.

BIP32, which was developed in 2013, describes a mechanism to derive Bitcoin keys from a single seed. As a result: “Deterministic wallets do not require such frequent backups.” If you use a BIP32 wallet, all you need to store is a single seed! Another group of developers took this kind of thinking to the next level and designed the Glacier Protocol [9], which is a set of instructions to securely generate and store this seed. This is an amazing effort, and we believe the same way of working should be accessible for PGP users.

To summarize, when you derive your keys from a single seed, you gain more control over the level of:

security, as you can generate keys from any source of entropy (e.g. by using dice [10]), a HRNG [11] or even lava lamps. [12]
resilience, as you can separate the key generation process from the software which uses the keys. You can create a master key and store it in any desirable format (e.g. as a mnemonic [13], or on cryptosteel. [14]

What exists?

Many attempts were made to achieve this, but we couldn’t find any secure alternative to deterministically generate an asymmetric key pair for PGP. Some of the projects we came across along our journey:

GnuPG has support to generate keys based on passphrases, but this is only for symmetric keys: https://tools.ietf.org/html/rfc4880#section-3.7 https://dev.gnupg.org/T169
Some devices exist which allow you to generate keys, but this is often still explicitly marked as experimental software (as noted by the Trezor team): https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md
Solutions have even been built to trick GnuPG into using a different source of entropy, but this is again untested: https://ritter.vg/blog-non_persistent_pgp.html
Monkeysphere’s pem2openpgp limits itself to RSA keys: https://web.monkeysphere.info/news/ https://0xacab.org/monkeysphere/monkeysphere/issues/11237
https://protonmail.com/blog/openpgp-golang/ : Protonmail released a high-level OpenPGP library, built on a fork of the standard Go crypto library. It seems their high-level library does not allow for specifying a custom entropy source, while the underlying packet library (!) does.
See: https://godoc.org/crypto/rsa#GenerateKey and its usage in https://github.com/ProtonMail/gopenpgp/blob/master/crypto/key.go#L344 (which does not make use of the custom random reader, in fact)

In our new solution, we re-implemented a part of the OpenPGP spec so you can securely generate and back up all of our keys with just a single master key. You can use any Hierarchical Derivation scheme for your keys. [15] You can use modern software to generate your keys. [16] And all of that whilst still making use of all systems that provide integrations with PGP!

Audit

To make sure that we did not make any mistake and to also use proper best security practices we got an independent security audit by Radically Open Security. We did this so people have a higher assurance that the code does what it should and is verified by people who know PGP inside and out. The audit is also publicly available in the Github link shared at the start of this blog post. We implemented all suggestions from the report.

Summitto is building security software for tax authorities around the world. Read on in our next post about how to use the library and what you should and should not do while preparing for your perfect PGP setup.

Sources

[1] https://www.openpgp.org/about/history/

[2] https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/

[3] https://moxie.org/blog/gpg-and-me/ and https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

[4] https://blog.gtank.cc/modern-alternatives-to-pgp/, https://github.com/FiloSottile/age

[5] https://www.silentcircle.com

[6] https://www.openpgp.org/software/developer/

[7] https://en.wikipedia.org/wiki/Exit,_Voice,_and_Loyalty

[8] https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

[9] https://glacierprotocol.org/

[10] https://en.wikipedia.org/wiki/Diceware

[11] https://en.wikipedia.org/wiki/Hardware_random_number_generator