|
| 1 | +# Manual DiceKey Generation |
| 2 | +The DiceKeys physical random number generator is meant to be a permanent physical device to recover a secret, such as a |
| 3 | +master passphrase to a password manager, or the seed to a SoloKey hacker model. Regardless, once securely stored in a |
| 4 | +safe location, the device is meant to be scanned with the upstream tool, either via using the mobile app or the web |
| 5 | +interface. However, if you want to generate a secret manually without the app, this document gives you a few ideas how |
| 6 | +you can do that. |
| 7 | + |
| 8 | +**Disclaimer:** I am not affiliated with the DiceKeys product in any way. When it was announced, I liked the idea of |
| 9 | +physical 198-bit random number generator with dice, and further liked the idea of permanently setting that number in |
| 10 | +place for archival purposes. I ordered my own physical copy to play with, and recommend you do the same. I added it to |
| 11 | +the my password generator project for demonstration purposes. |
| 12 | + |
| 13 | +## Reading the DiceKey Directly |
| 14 | +The security of the DiceKey comes a shuffled 25 character alphabet, 6 sides and 4 orientations of each die. As such, for |
| 15 | +each die you must record the character, side, and orientation. Thus, without spaces, this will produce a 75-character |
| 16 | +secret you can type by hand. Probably easiest to follow your natural reading direction, such as left-to-right, |
| 17 | +top-to-bottom for English speakers. |
| 18 | + |
| 19 | +Recording the character and dice side is easy, as they are physically printed on the dice, and can be read directly. |
| 20 | +However, orientation must be defined. There are a number of ways you could approach this. For example, you could use the |
| 21 | +cardinal directions on a compass: |
| 22 | + |
| 23 | +* "N" for facing north (right-side up). |
| 24 | +* "E" for facing east (resting on its right side). |
| 25 | +* "S" for facing south (upside down). |
| 26 | +* "W" for facing west (resting on its left side). |
| 27 | + |
| 28 | +So the "N4" face resting on its right side (facing east) would be recorded an "N4E". Similarly, an upside down "Z3" die |
| 29 | +would be recorded as "Z3S". Following this definition, a possible result reading from the top-left die to the |
| 30 | +lower-right die could be: |
| 31 | + |
| 32 | + N3E O2N S2S D5E Z1E I3W H4N X6S A5W T2S R4E B3E C3E P5N Y3E M5W V1E J3E K1E L6W W5N G6S E3W F6E U2N |
| 33 | + |
| 34 | +## Converting the DiceKey into a Passphrase by Hand |
| 35 | +If you would prefer to use a passphrase instead of a random meaningless string of characters, I built [a word list of |
| 36 | +exactly 14,400 unique words][1]. Creating the passphrase means executing the following steps: |
| 37 | + |
| 38 | +[1]: https://gist.github.com/atoponce/648436a7b8492d13039040e38f87762b |
| 39 | + |
| 40 | +1. Create 12 non-overlapping pairs of dice. |
| 41 | +2. Record the alphabetic characters of the pair. |
| 42 | +3. Record the face of the first die in the pair. |
| 43 | +4. Record the orientation of the second die in the pair. |
| 44 | + |
| 45 | +For example, using our DiceKey result from above, they would first be paired (note the last die is not paired, and is |
| 46 | +ignored): |
| 47 | + |
| 48 | + (N3E O2N) (S2S D5E) (Z1E I3W) (H4N X6S) (A5W T2S) (R4E B3E) (C3E P5N) (Y3E M5W) (V1E J3E) (K1E L6W) (W5N G6S) (E3W F6E) U2N |
| 49 | + |
| 50 | +Now record the alphabetic characters of each pair: |
| 51 | + |
| 52 | + NO SD ZI HX AT RB CP YM VJ KL WG EF |
| 53 | + |
| 54 | +Record the face of the first die in each pair: |
| 55 | + |
| 56 | + NO3 SD2 ZI1 HX4 AT5 RB4 CP3 YM3 VJ1 KL1 WG5 EF3 |
| 57 | + |
| 58 | +And record the orientation of the second die in each pair: |
| 59 | + |
| 60 | + NO3N SD2E ZI1W HX4S AT5S RB4E CP3N YM3W VJ1E KL1W WG5S EF3E |
| 61 | + |
| 62 | +These results are indices of each word in the word list: |
| 63 | + |
| 64 | + milked quinin wight forky arhat pinkie broke vestal sorrel ibex swatch copal |
| 65 | + |
| 66 | +This provides a security margin of log2(25! \* 24^12) ~= 138 bits. No word is longer than 5 characters, so the |
| 67 | +passphrase itself will never exceed 72 characters, unless you add a word separator between each word. |
| 68 | + |
| 69 | +## Converting the DiceKey into a Passphrase using Niceware |
| 70 | +### Using offline tools |
| 71 | +If you would like to maximize the security margin out of the 198 bits available in the device itself, you can |
| 72 | +use a cryptographic hashing function to hash the results of the DiceKey, then convert the hexadecimal to a [Niceware |
| 73 | +passphrase][2]. |
| 74 | + |
| 75 | +[2]: https://github.com/diracdeltas/niceware |
| 76 | + |
| 77 | +Doing this is fairly straight-forward: |
| 78 | + |
| 79 | +1. Hash the recorded result of the DiceKey, truncated to 192 bits. |
| 80 | +2. Convert the hex to a Niceware phrase. |
| 81 | + |
| 82 | +For hashing, any cryptographic hashing primitive that can produce digests of 192 bits of greater will work, such as |
| 83 | +SHA-256, SHAKE, BLAKE3, and others. For example, using SHA-256 with our recorded example above, ignoring white space, we |
| 84 | +can execute in a Linux terminal: |
| 85 | + |
| 86 | + $ printf N3EO2NS2SD5EZ1EI3WH4NX6SA5WT2SR4EB3EC3EP5NY3EM5WV1EJ3EK1EL6WW5NG6SE3WF6EU2N | sha256sum |
| 87 | + 55a46459af3f9995ef7f1e8e52b6481671200224f629b373fc4447d9a30051e5 - |
| 88 | + |
| 89 | +Because each hexadecimal character provides 4 bits, then we only need the first 48 hex characters from our digest to |
| 90 | +produce a 192-bit Niceware passphrase: |
| 91 | + |
| 92 | + $ printf N3EO2NS2SD5EZ1EI3WH4NX6SA5WT2SR4EB3EC3EP5NY3EM5WV1EJ3EK1EL6WW5NG6SE3WF6EU2N | sha256sum | head -c 48; printf '\n' |
| 93 | + 55a46459af3f9995ef7f1e8e52b6481671200224f629b373 |
| 94 | + |
| 95 | +Using the command line [`nicepass(1)`][3] utility, you can convert this result to a passphrase: |
| 96 | + |
| 97 | +[3]: https://github.com/awcross/nicepass |
| 98 | + |
| 99 | + $ nicepass 55a46459af3f9995ef7f1e8e52b6481671200224f629b373 |
| 100 | + fugue hitting quipster overtire unmasked caucussing forelady estrogenicity introducible aikido vinca reconcilability |
| 101 | + |
| 102 | +We ended up with another 12 word passphrase, but this time our security margin is 192 bits instead of 138, a significant |
| 103 | +improvement. The cost is considerably more characters to type however, as the average word length is 8.2 characters. |
| 104 | + |
| 105 | +### Using online tools |
| 106 | +Not everyone likes command line tools, and not everyone uses unix-like environments. As such, the above can be |
| 107 | +duplicated using CyberChef by the GCHQ and Niceware by Yan Zhu. |
| 108 | + |
| 109 | +1. Paste your DiceKey secret using [this CyberChef recipe][4]. |
| 110 | +2. Paste the resulting hexadecimal string into [Niceware][5]. |
| 111 | + |
| 112 | +[4]: https://gchq.github.io/CyberChef/#recipe=SHA2('256')Head('Nothing%20(separate%20chars)',48) |
| 113 | +[5]: https://diracdeltas.github.io/niceware/ |
| 114 | + |
| 115 | +**Caution:** You should [avoid using web interfaces or other online tools when working with secrets][6]. There are no |
| 116 | +guarantees that your data is not being recorded and sent to a 3rd party without fully inspecting the code, *on every |
| 117 | +page refresh*. If you have to use web tools, you should run them 100% offline. Both [CyberChef][7] and [Niceware][8] |
| 118 | +provide ZIP archives of the software that you can download, extract, and run locally in your browser, completely |
| 119 | +offline. I **strongly** recommend this approach. |
| 120 | + |
| 121 | +[6]: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/ |
| 122 | +[7]: https://github.com/gchq/CyberChef/releases/latest |
| 123 | +[8]: https://github.com/diracdeltas/niceware/releases/latest |
0 commit comments