-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linked-Data Key (Previously Multikey) #58
Comments
Yes, thank you for pushing this 🙌 Currently, most of the context of multikey lives on jbenet/random-ideas#31 and probably will live as one of the components of https://github.com/ipfs/specs/tree/master/keychain. |
I'm ever closer to specing this out-- need it for keychain yes. A use case is motivating all of this:
Working my way up :)
|
I'm finally sure this is the right place to drop this here, despite I never seem to be able to find the When doing a broad and rough research into the ICN topic, I've stumbled into http://tools.ietf.org/html/draft-farrell-ni-00 via http://dirk-kutscher.info/publications/uris-for-named-information/. There don't seem to be any implementations of this, but |
@almereyda nice find! just open another issue in this repo about it. if |
Since I written the issue a method of merging ed25519 and curve25519 keys got established this means we can use just one (probably ed25519) and transform the public key when we want to use encryption (curve25519). What motivates me the most about that is possibility of switching off RSA for the communication. Using ed25519 would also allow for DHT record signing as it is much much quicker than RSA and signature is only 64 bytes. |
ianopolous in IRC highlighted that separating encrypting and signing keys is important, both for RSA and post quantum crypto systems. Also about post QC systems, we should account for quite big key sizes of those. |
Yep, multiple megabytes for keys is necessary in some of the PQC schemes. But so long as you can also include the multihash of a (public) key instead of the key itself you should be fine. |
It would be great to progress this. A first step could be to agree on a format for public keys only. I'm hoping it will be ipld/cbor based to ease writing en/decoders. For reference, the format we use in Peergos so far is a cbor list with two elements, the first is a cbor int which specifies the type (and needs an accompanying lookup table like multihash), and the second is the cbor byte[] of the key contents. This ends up as a single byte for the list and its length, a single byte for the type, and two bytes for the length of the byte array and the fact it is a byte[], then the bytes themselves. So a four byte overhead on a 32 byte key like Ed25519. |
@JustinDrake might be interested in this too |
Getting back to this issue (thanks for the ping @whyrusleeping ;)). A couple of questions come to mind:
Other questions that arise:
|
Hi @diasdavid, great to see this progressing. :-) In what follows I'm only referring to public keys. I think the main question to decide first is whether you want the format to be cbor. Using cbor means that you can put the object directly into ipfs and naturally reference and pin it by the resulting cid. We already do this in Peergos for both signing and boxing public keys which are merkle linked from a root object for each user. If you agree that it should be cbor, then the initial int in my suggestion is exactly a multicodec (remember a cbor int is actually a varint), functionally equivalent to the lookup table in multihash and future proof. Then decoders specialise based on this int. The second part, which is the actual key bytes, doesn't need to be understood by a parser because cbor takes care of that by encoding the length with a varint. The only thing to be careful of is that large keys can't be stored as a single flat array (I'm thinking multi-megabyte post quantum keys), because of the object size limit, so will need to be chunked and linked accordingly. So maybe the type prefix could also include whether the key material is a single raw flat array or a merkle link. |
Just had a brainstorm with @ianopolous on steps to move this forward.
Some notes from the discussion https://cryptpad.fr/code/#/1/edit/h57w6Cgcu72ZD8puM60teA/Tp-OpCZxIFk5KBr7nTJkCKMw/ |
One more!
This can be simply resolved by having all the nodes understand how RSA/ECC works so that they know how to make the crypto challenges (SECIO) without needing to have the same type of keys. This will require some fun on SECIO, Identify and libp2p-switch |
Overall, a BIG 👍 from me. I'd still call that "multikey" as the key describes its type (and should probably have a field that says that it's a key). But that's getting into semantics...
I don't see why they have to be unixfs files for this. Exchanges exchange blocks (and, eventually, DAGs); they generally aren't unixfs specific. However, I've been pushing to have the next iteration of unixfs to be able to treat IPLD DAGs as files, if that helps (so we can store IPLD DAGs in unixfs without losing information about its structure).
That proposal was for performance and we can still do that (although we should definitely stop using the DHT, regardless of what we do). That is, we can use edit: cidv0 should be cidv1 |
Wouldn't that go against "no CIDv0 unless it addresses an actual dag-pb node"? |
Sorry, I meant |
@diasdavid curious about why you and @ianopolous suggested the keys being unixfs files, this seems like unnecessary overhead to me. |
@dignifiedquire we need to account for keys that will be GB or even TB in size #58 (comment) |
That only means we need a concept of general sharding. Requiring to use unixfs objects seems the wrong approach to this for me, as it mixes two abstractions.
…On 13. Nov 2017, 18:26 +0100, David Dias ***@***.***>, wrote:
@dignifiedquire we need to account for keys that will be GB or even TB in size #58 (comment)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Does unixfs imply using protobufs? If so, then I would prefer a simpler cbor(ipld) based structure. |
It does not imply using protobufs, it only implies that an There is a current endeavor of creating a new generation of unixfs using the new IPLD https://github.com/ipfs/ipld-unixfs Edit(Kubuxu): fixed link to ipld-unixfs |
Hey, I'm the current editor for the IETF Multihash spec: https://tools.ietf.org/html/draft-multiformats-multihash-00 I'm also updating Veres One to use multiformats for the cryptonym identifiers. Specifically, we do this for ed25519 keys:
... and this for RSA keys (note the rsa-pub-fingerprint 0x5a value has not been requested yet):
Is this the approach other folks are taking for cryptonyms (identifiers based on cryptographic material)? |
Peer IDs are our current cryptographic identifiers. We currently just take this protobuf and then hash it with multihash. We've also recently added a rule that all serialized keys shorter than 42 bytes should be hashed with the "identity" multihash so that it can be extracted from the key itself. This handles the ed25519 case and ensures that we always generate the same identifier from the same key. We'd like to switch to CIDs/IPLD. In this world, the peer ID would just be a normal CID (e.g., Note: Unless the entire key is stored in the ID, there's little use in storing things like the rsa public key fingerprint in the ID. A sha2 hash should be sufficient. |
@msporny In which wg is the draft discussed? |
@pawal -- It hasn't been assigned to a WG yet. I want to get a few more revs of the spec done with possibly a test suite + 3 implementations passing the test suite before trying to push it into a WG. |
@Stebalien said:
How are CIDs currently encoded? Here's what we are proposing: Does that look like it might be aligned with where CIDs want to go in IPFS? If not, why not?
The RSA SPKI public key fingerprint is a sha2-256/256 hash. There is an example of an RSA SPKI-based fingerprint used as a cryptographic CID: What do you think of that proposal? I'd like to get at least the Sovrin, Veres One, and IPFS communities aligned on cryptographic identifiers so I can propose a multibase+multicodec+multihash spec for cryptographic identifiers at IETF. |
@msporny What wg do you have in mind? A lot of things are going to change in the spec when going for standards track and going through a wg, so aiming for three implementations is not really necessary work, just more work for the implementations when things change. |
Perhaps SEC area and CFRG to start, get some input there. Then maybe move into ace. I expect that the area director will have an opinion on where this work goes... it's not clear that it fits neatly into an existing group.
hmm, I thought a good chunk of the multi* specs were pretty stable at this point. Are they not? Perhaps I'm misunderstanding where this work is at present. I thought there were multiple implementations of multibase, multicodec, and multihash already? Or are you talking about the "how to encode CIDs" bit? |
@msporny I meant that if you're aiming for standards track, getting the document through a wg will change a lot of details in the draft. Depending on the input of the wg. |
I'm needing to encode keys in base45 multiformats/multibase#64 encoded master seeds (BIP45) for QR encoding, in particular 32 and 64 byte master seeds, shamir secret shards (40 bytes), derived private and public keys (32 bytes plus path), ecdh signatures (72 bytes), Schnorr signatures (32 bytes or 64 with public key), etc. All of these for QR encoded air gap scenarios. Any progress on multikey? -- Christopher Allen |
now is a good time to shape the input of the wg. Here is a charter proposal. There is also a new mailing list hosted by IETF to discuss multiformats. https://mailarchive.ietf.org/arch/browse/multiformats/ |
I didn't see any specs for multikey so here are my notes what I'd love to see in it and how it could look.
We need a way to represent key types but also how are those keys stored, for example password they might protected. As keys might be getting much bigger (QC and hash based signature crypto) we also need a way to express keys bigger than 256 bytes. There are three options for that:
(maybe something even bigger).
Each of them hash its pros and cons.
As format goes I would see it as:
First byte in 3 lower bits would include information if it is public, private or secret key (3bits = 8 values, rest left for future) and in 5 higher bits it would include information about how the key was protected, for example: no protection, scrypt+AES256, scrypt+salsa20, pure AES and so on.
Next byte would point onto crypto schema of key itself, it would depend on key type.
In case of symmetric key it might be AES128, AES256, salsa20.
In case of private and public for example RSA1024, RSA2048, ed25519, curve25519, ECDSA.
Questions:
Edit: Point of key protection schema is to allow sending for example password protected private keys. In case that just exchange of public keys took place, no-protection schema should be expected.
The text was updated successfully, but these errors were encountered: