micro-key-producer

Produces secure keys and passwords.

• 🔓 Secure: audited noble cryptography
• 🔻 Tree-shakeable: unused code is excluded from your builds
• 🎲 Produce known (deterministic) and random keys
• 🔑 SSH, PGP, TOR, IPNS, SLIP10 keys
• 🪙 BLS12-381 keys for ETH validators
• 📟 Generate secure passwords & OTP 2FA codes

Used in: terminal7 WebRTC terminal multiplexer.

Usage

npm install micro-key-producer

jsr add jsr:@paulmillr/micro-key-producer

1import ssh from 'micro-key-producer/ssh.js';
2import pgp from 'micro-key-producer/pgp.js';
3import * as pwd from 'micro-key-producer/password.js';
4import * as otp from 'micro-key-producer/otp.js';
5import tor from 'micro-key-producer/tor.js';
6import ipns from 'micro-key-producer/ipns.js';
7import slip10 from 'micro-key-producer/slip10.js';
8import { randomBytes } from 'micro-key-producer/utils.js';

• Key generation: known and random seeds
  • SSH keys
  • PGP keys
  • Secure passwords
  • 2FA OTP codes
  • BLS keys for ETH validators
  • TOR keys and addresses
  • IPNS addresses
  • SLIP10 ed25519 hdkeys
• Low-level API
  • PGP key generation
  • Password generation
    • Bruteforce estimation and ZXCVBN score
    • Mask control characters
    • Design rationale
    • What do we want from passwords?
  • SLIP10 API

Key generation: known and random seeds

Every method takes a seed (key), from which the formatted result is produced.

A seed can be known (a.k.a. deterministic - it will always produce the same result), or random.

1// known: (deterministic) Uses known mnemonic (handled in separate package)
2import { mnemonicToSeedSync } from '@scure/bip39';
3const mnemonic = 'letter advice cage absurd amount doctor acoustic avoid letter advice cage above';
4const knownSeed = mnemonicToSeedSync(mnemonic, '');
5
6// random: Uses system's CSPRNG to produce new random seed
7import { randomBytes } from 'micro-key-producer/utils.js';
8const randSeed = randomBytes(32);

Generate SSH keys

1import ssh from 'micro-key-producer/ssh.js';
2import { randomBytes } from 'micro-key-producer/utils.js';
3
4const seed = randomBytes(32);
5const key = ssh(seed, 'user@example.com');
6console.log(key.fingerprint, key.privateKey, key.publicKey);
7// SHA256:3M832z6j5R6mQh4TTzVG5KVs2Ibvy...
8// -----BEGIN OPENSSH PRIVATE KEY----- ...
9// ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...

The PGP (GPG) keys conform to RFC 4880 & RFC 6637. Only ed25519 algorithm is currently supported.

Generate PGP keys

1import pgp, { getKeyId } from 'micro-key-producer/pgp.js';
2import { randomBytes } from 'micro-key-producer/utils.js';
3
4const seed = randomBytes(32);
5const email = 'user@example.com';
6const pass = 'password';
7const createdAt = Date.now(); // optional; timestamp >= 0
8
9const keyId = getKeyId(seed);
10const key = pgp(seed, email, pass, createdAt);
11console.log(key.fingerprint, key.privateKey, key.publicKey);
12// ca88e2a8afd9cdb8
13// -----BEGIN PGP PRIVATE KEY BLOCK-----...
14// -----BEGIN PGP PUBLIC KEY BLOCK-----...

Generate BLS keys for ETH validators

1import { mnemonicToSeedSync } from '@scure/bip39';
2import { createDerivedEIP2334Keystores } from 'micro-key-producer/bls.js';
3
4const password = 'my_password';
5const mnemonic = 'letter advice cage absurd amount doctor acoustic avoid letter advice cage above';
6const keyType = 'signing'; // or 'withdrawal'
7const indexes = [0, 1, 2, 3]; // create 4 keys
8
9const keystores = createDerivedEIP2334Keystores(
10  password
11  'scrypt',
12  mnemonicToSeedSync(mnemonic, ''),
13  keyType,
14  indexes
15);

Conforms to EIP-2333 / EIP-2334 / EIP-2335. Online demo: eip2333-tool

Generate secure passwords

1import * as pwd from 'micro-key-producer/password.js';
2import { randomBytes } from '@noble/hashes/utils';
3
4const seed = randomBytes(32);
5const pass = pwd.secureMask.apply(seed).password;
6// wivfi1-Zykrap-fohcij, will change on each run
7// secureMask is format from iOS keychain, see "Detailed API" section

Supports iOS / macOS Safari Secure Password from Keychain. Optional zxcvbn score for password bruteforce estimation

Generate 2FA OTP codes

1import * as otp from 'micro-key-producer/otp.js';
2otp.hotp(otp.parse('ZYTYYE5FOAGW5ML7LRWUL4WTZLNJAMZS'), 0n); // 549419
3otp.totp(otp.parse('ZYTYYE5FOAGW5ML7LRWUL4WTZLNJAMZS'), 0); // 549419

Conforms to RFC 6238.

Generate TOR keys and addresses

1import tor from 'micro-key-producer/tor.js';
2import { randomBytes } from 'micro-key-producer/utils.js';
3const seed = randomBytes(32);
4const key = tor(seed);
5console.log(key.privateKey, key.publicKey);
6// ED25519-V3:EOl78M2gA...
7// rx724x3oambzxr46pkbd... .onion

Generate IPNS addresses

1import ipns from 'micro-key-producer/ipns.js';
2import { randomBytes } from 'micro-key-producer/utils.js';
3const seed = randomBytes(32);
4const k = ipns(seed);
5console.log(k.privateKey, k.publicKey, k.base16, k.base32, k.base36, k.contenthash);
6// 0x080112400681d6420abb1b...
7// 0x017200240801122012c829...
8// ipns://f0172002408011220...
9// ipns://bafzaajaiaejcaewi...
10// ipns://k51qzi5uqu5dgnfwb...
11// 0xe501017200240801122012...

Generate SLIP10 ed25519 hdkeys

1import slip10 from 'micro-key-producer/slip10.js';
2import { randomBytes } from 'micro-key-producer/utils.js';
3
4const seed = randomBytes(32);
5const hdkey1 = slip10.fromMasterSeed(seed);
6
7// props
8[hdkey1.depth, hdkey1.index, hdkey1.chainCode];
9console.log(hdkey2.privateKey, hdkey2.publicKey);
10console.log(hdkey3.derive("m/0/2147483647'/1'"));
11const sig = hdkey3.sign(hash);
12hdkey3.verify(hash, sig);

SLIP10 (ed25519 BIP32) HDKey implementation has been funded by the Kin Foundation for Kinetic.

Low-level details

PGP key generation

1. Generated private and public keys would have different representation, however, their fingerprints would be the same. This is because AES encryption is used to hide the keys, and AES requires different IV / salt.
2. The function is slow (~725ms on Apple M1), because it uses S2K to derive keys.
3. "warning: lower 3 bits of the secret key are not cleared" happens even for keys generated with GnuPG 2.3.6, because check looks at item as Opaque MPI, when it is just MPI: see bugtracker URL.

1import * as pgp from 'micro-key-producer/pgp';
2import { randomBytes } from 'micro-key-producer/utils';
3const pseed = randomBytes(32);
4pgp.getKeyId(pseed); // fast
5const pkeys = pgp.getKeys(pseed, 'user@example.com', 'password');
6console.log(pkeys.keyId);
7console.log(pkeys.privateKey);
8console.log(pkeys.publicKey);
9
10// Also, you can explore existing keys internal structure
11console.log(pgp.pubArmor.decode(keys.publicKey));
12const privDecoded = pgp.privArmor.decode(keys.privateKey);
13console.log(privDecoded);
14// And receive raw private keys as bigint
15console.log({
16  ed25519: pgp.decodeSecretKey('password', privDecoded[0].data),
17  cv25519: pgp.decodeSecretKey('password', privDecoded[3].data),
18});

Password generation

Bruteforce estimation and ZXCVBN score

1import * as pwd from 'micro-key-producer/password.js';
2console.log(pwd.secureMask.estimate);
3
4// Output
5{
6  score: 'somewhat guessable', // ZXCVBN Score
7  // Guess times
8  guesses: {
9    online_throttling: '1y 115mo', // Throttled online attack
10    online: '1mo 10d', // Online attack
11    // Offline attack (salte, slow hash function like bcrypt, scrypt, PBKDF2, argon, etc)
12    slow: '57min 36sec',
13    fast: '0 sec' // Offline attack
14  },
15  // Estimated attack costs (in $)
16  costs: {
17    luks: 1.536122841572242, // LUKS (Linux FDE)
18    filevault2: 0.2308740987992559, // FileVault 2 (macOS FDE)
19    macos: 0.03341598798410283, // MaccOS v10.8+ passwords
20    pbkdf2: 0.011138662661367609 // PBKDF2 (PBKDF2-HMAC-SHA256)
21  }
22}

Mask control characters

Mask	Description	Example
1	digits	4, 7, 5, 0
@	symbols	!, @, %, ^
v	vowels	a, e, i
c	consonant	b, c, d
a	letter (vowel or consonant)	a, b, e, c
V	uppercase vowel	A, E, I
C	uppercase consonant	B, C, D
A	uppercase letter	A, B, E, C
l	lower and upper case letters	A, b, C
n	same as 'l', but also digits	A, 1, b, 2, C
*	same as 'n', but also symbols	A, 1, !, b, @
s	syllable (same as 'cv')	ca, re, do
S	Capitalized syllable (same as 'Cv)	Ca, Ti, Je
	All other characters used as is

Examples:

• Mask: Cvccvc-cvccvc-cvccv1 will generate Mavmuq-xadgys-poqsa5
• Mask @Ss-ss-ss will generate: *Tavy-qyjy-vemo

Design rationale

Most strict password rules (so password will be accepted everywhere):

• at least one upper-case character
• at least one lower-case character
• at least one symbol
• at least one digit
• length greater or equal to 8 These rules don't significantly increase password entropy (most humans will use mask like 'Aaaaaa1@' or any other popular mask), but they means that we cannot simple use mask like ********, since it can generate passwords which won't satisfy these rules.

What do we want from passwords?

• length: entering 32 character password for FDE via IPMI java applet on remote server is pretty painful. -> 12-16 probably ok, anything with more characters has chance to be truncated by service.
• readability: entering '!#%!$#Y^&*#%@#!!1' from air-gapped pc is hard.
• entropy:
  • 32 bit is likely to be brutforced via network
  • 64 bit: 22 days && 1.6k$ at 4x V100: https://blog.trailofbits.com/2019/11/27/64-bits-ought-to-be-enough-for-anybody/ but it is simple loop, if there is something like pbkdf before password, it will significantly slowdown everything
  • 80 bits is probably outside of budget for most attackers (btc hash rate) even if there is major speedup for specific algorithm
  • For websites and services we don't care much about entropy, since passwords are unique and there is no re-usage, however for FDE / server password entropy is pretty important
• no fancy and unique mask by default: we don't want to fingeprint users
• any mask will leak eventually (even if user choices personal mask, there will be password leaks from websites), so we cannot calculate entropy by ****** mask, we need to calculate entropy for specific mask (which is smaller).
• Password generator should be reversible, that way we can easily proof entropy/strength of password.

SLIP10 API

SLIP-0010 hierarchical deterministic (HD) wallets for implementation. Based on code from scure-bip32. Check out scure-bip39 if you also need mnemonic phrases.

• SLIP-0010 publicKey is 33 bytes (see this issue), if you want 32-byte publicKey, use .publicKeyRaw getter
• SLIP-0010 vectors fingerprint is actually parentFingerprint
• SLIP-0010 doesn't allow deriving non-hardened keys for Ed25519, however some other libraries treat non-hardened keys (m/0/1) as hardened (m/0'/1'). If you want this behaviour, there is a flag forceHardened in derive method

Note: chainCode property is essentially a private part of a secret "master" key, it should be guarded from unauthorized access.

The full API is:

1class HDKey {
2  public static HARDENED_OFFSET: number;
3  public static fromMasterSeed(seed: Uint8Array | string): HDKey;
4
5  readonly depth: number = 0;
6  readonly index: number = 0;
7  readonly chainCode: Uint8Array | null = null;
8  readonly parentFingerprint: number = 0;
9  public readonly privateKey: Uint8Array;
10
11  get fingerprint(): number;
12  get fingerprintHex(): string;
13  get parentFingerprintHex(): string;
14  get pubKeyHash(): Uint8Array;
15  get publicKey(): Uint8Array;
16  get publicKeyRaw(): Uint8Array;
17
18  derive(path: string, forceHardened = false): HDKey;
19  deriveChild(index: number): HDKey;
20  sign(hash: Uint8Array): Uint8Array;
21  verify(hash: Uint8Array, signature: Uint8Array): boolean;
22}

License

MIT (c) Paul Miller (https://paulmillr.com), see LICENSE file.