Pre-BIP feedback: Secrets keychain with semantic derivation
72 views
Skip to first unread message
Aneesh Karve
May 28, 2024, 6:29:27 PMMay 28
to Bitcoin Development Mailing List
Greetings,
After reading and implementing BIP-85 I entertained the possibility of a generalized keychain application atop hierarchical deterministic wallets.
Here is the pre-proposal for said BIP-Keychain on GitHub. Below are the Abstract and Motivation. See the link above for the full spec.
Let me know if I should proceed to submit this as a proper BIP.
Thank you.
# Abstract
We extend the hierarchical deterministic wallet chain from BIP-32 with a new
application code for BIP-85 and a deterministic path derivation algorithm
that allows applications to create a large key-value map of secrets where the key
for each secret is a meaningful semantic path, as opposed to an arbitrary integer.
This secure key-value map can replace modern password managers and offers an improved, possibly trustless security profile.
We extend the hierarchical deterministic wallet chain from BIP-32 with a new
application code for BIP-85 and a deterministic path derivation algorithm
that allows applications to create a large key-value map of secrets where the key
for each secret is a meaningful semantic path, as opposed to an arbitrary integer.
This secure key-value map can replace modern password managers and offers an improved, possibly trustless security profile.
# Motivation
BIP-85 specifies how to derive passwords, private keys, and entropy from paths
with the following form:
```
m/83696968'/{app_no}'/{index}'
```
Nevertheless BIP-85 has the following ambiguities and shortcomings:
1. Path construction is arbitrary in that there is no well-defined procedure to
extend the path for applications that require more than two parameters.
The implied convention is for paths to end with `{some_integer_n}'{index}'`
but there is no guidance on the order of parameters for applications that need more
than two inputs.
1. Return types for applications vary in interpretation and are
not specific enough to be actionable. For example sometimes `n` represents the
number of bytes, sometimes the number of characters, sometimes the number of
BIP-39 words, etc.
Moreover, modern password managers protect hot child secrets with a single root
master hot secret such that if the master secret is compromised all children are
also compromised.
BIP-Keychain proposes a new paradigm where numerous hot or cold secrets are derived
from hot but non-secret-compromising _derivation path keys_ that are in turn stored
under a hot master secret such that if this hot master is compromised only the
_derivation path keys_, and not the actual child secrets (_derivation path values_),
are compromised. Said hot master secret can itself be the child derivative of a
cold master key. The master key for deriving the secret values need not be stored
online nor with the derivation path keys and may be provided just-in-time by the
application.
Moreover, _generalized derivation paths_ may be interpreted not simply as an
input to key derivation but also as information about the real world.
BIP-85 specifies how to derive passwords, private keys, and entropy from paths
with the following form:
```
m/83696968'/{app_no}'/{index}'
```
Nevertheless BIP-85 has the following ambiguities and shortcomings:
1. Path construction is arbitrary in that there is no well-defined procedure to
extend the path for applications that require more than two parameters.
The implied convention is for paths to end with `{some_integer_n}'{index}'`
but there is no guidance on the order of parameters for applications that need more
than two inputs.
1. Return types for applications vary in interpretation and are
not specific enough to be actionable. For example sometimes `n` represents the
number of bytes, sometimes the number of characters, sometimes the number of
BIP-39 words, etc.
Moreover, modern password managers protect hot child secrets with a single root
master hot secret such that if the master secret is compromised all children are
also compromised.
BIP-Keychain proposes a new paradigm where numerous hot or cold secrets are derived
from hot but non-secret-compromising _derivation path keys_ that are in turn stored
under a hot master secret such that if this hot master is compromised only the
_derivation path keys_, and not the actual child secrets (_derivation path values_),
are compromised. Said hot master secret can itself be the child derivative of a
cold master key. The master key for deriving the secret values need not be stored
online nor with the derivation path keys and may be provided just-in-time by the
application.
Moreover, _generalized derivation paths_ may be interpreted not simply as an
input to key derivation but also as information about the real world.
Reply all
Reply to author
Forward
0 new messages