[Cryptography] Very best practice for RSA key generation

Jon Callas jon at callas.org
Mon Nov 4 20:58:58 EST 2019

> On Nov 2, 2019, at 7:28 PM, jamesd at echeque.com wrote:
> It is plausible that "Correct Horse Battery Staple" makes it easier to enter high entropy pass phrases, and I am inclined to believe it, but such pass phrases are longer than base 32 or base 64 passphrases, hence more opportunities to get it wrong, and I would like to see some UI testing for passphrases of the same entropy.

I agree that there should be testing, but it would be easy to construct a test that could give false or irrelevant answers. Let's assume that each word there is 15 bits of strength (in other words that the word list is 32K long). It seems obvious that the error rate on a 27 character entry would be higher than on 15 characters. Yet I'm sure that I can type "correct horse battery staple" with no errors (I just did it) more reliably than I could type 15 hex digits correctly. My brain can process 60 bits of entropy in words better than hex.

A naive thing people say about word-oriented shared secrets (I'm saying it that way for a reason) is that it's more secure, and you hit right to the crux of the matter, which is how security is measured in the face of user experience testing.

It's certainly possible to take that basic format and further make it easier. As an obvious example, you typed "Correct Horse Battery Staple" and it's obvious that "correct horse battery staple" is also valid. There's no reason why we can't accept reasonable typos or alternates such as "verum equus altilium stapulae" or "correct cheval batterie agrafe" or even "正确 马 电池 主食" as each of those is just a different encoding of four fifteen bit integers. 

The tighter a coding is, the shorter, but also the less likely for human memory and typing to work well and the less for a helpful UX to error correct.

I made a quick check for an article I saw where people were noticing some very "high entropy" passwords that turned out to be really horrible passwords, but in some language and encoding the researchers weren't expecting.


More information about the cryptography mailing list