Misc key derivation changes

[jtobin]

From last week's email chain, we ought:

• Remove the optional 'password' salt throughout
• Remove the 'revision' salt throughout
• Not use the ship number to salt in childSeedFromSeed
• Fix all seeds at 256 bits
• Use an explicit out: 32 bytes argument to argon2
• Use an explicit derivation path of m/44'/60'/0'/0/0

See the updated wallet spec for details.

[Fang-]

idk if you're actively working on this rn, but I just pushed these changes. Made these before the weekend, but didn't push like an idiot. Hope this is still useful!

[jtobin]

No sweat. I don't mind duplicating work in the slightest -- work first, ask questions later. 😄

[jtobin]

(Just push em out and I'll merge/cut/etc. things appropriately).

[Fang-]

Alright, the new changelist, completely replacing the one in the issue OP, is as follows:

• [ ] Fix all seeds at 256 bits.
• [ ] Return seeds as BIP39 mnemonics rather than hex strings.
• [ ] Specify that BIP32 wallets are generated from the BIP39 mnemonic following the BIP39 spec (using PBKDF2, with a password, in the specified manner).
• [ ] Always use the BIP32 derivation path m/44’/60’/0’/0/0 rather than the master wallet.
• [ ] Remove the optional 'password' salt, but do support inputting a password alongside the mnemonic.
• [ ] Rather than generating one ownership seed from a ticket, provide the option to generate various ownership seeds from a ticket. This means that what we currently call the ownership seed needs to be salted and hashed, just like is done for the other seeds. Type here should be 'owner'.

Yes, we keep the ship number and revision parts of the salt, but the UI will (at least initially) just default to 0 for both, as a default "Urbit-style derivation path". The UI will also default to "no password" for the mnemonics initially. Neither of these UI defaults are anything the lib needs to care about, but just fyi.

Wallet spec will be updated with this soon. @msutherl please double-check this changelist and ping here when the wallet spec has been updated.

[flowerornament]

@Fang- updated some of the wording, and with those changes, confirmed

[Fang-]

@msutherl we missed the BIP32 derivation path, which I've now added to the changelist.

[Fang-]

To clarify, are we doing BIP39 mnemonics also for networking seeds? Or just hex there?

[flowerornament]

The hex is an intermediate representation that doesn't need to be exposed. BIP39 mnemonics are the output.

On Oct 24, 2018 at 3:36 PM, <Fang (mailto:notifications@github.com)> wrote:

To clarify, are we doing BIP39 mnemonics also for networking seeds? Or just hex there?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub (https://github.com/urbit/keygen-js/issues/32#issuecomment-432851964), or mute the thread (https://github.com/notifications/unsubscribe-auth/AAB8HgWBn_h5tk0DdCDtTjDbNNO-Yqalks5uoOuAgaJpZM4Xzqis).

[Fang-]

But the networking seed is only relevant for Urbit itself, never goes into a hardware wallet or other Eth/Btc-related tech. Is Urbit going to do the mnemonic->seed conversion?

(This is fine, and I already have a lib for doing that, but I want to be explicit about whether we're doing that or not.)

[flowerornament]

@msutherl woah, I totally misread that. Taking a second look at this, I'm starting to realize that the "networking seed" might be an accidental piece of cruft. Couldn't the Management Seed just as well be used to derive the networking keys?