IETF Logo Mail Archive

Re: [Openpgp-dt] Additional AEAD key separation needed?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 17 May 2022 18:05 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: openpgp-dt@ietfa.amsl.com
Delivered-To: openpgp-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48B59C15EB36 for <openpgp-dt@ietfa.amsl.com>; Tue, 17 May 2022 11:05:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.857
X-Spam-Level:
X-Spam-Status: No, score=-3.857 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-1.857, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b7QAyYKuv1gw for <openpgp-dt@ietfa.amsl.com>; Tue, 17 May 2022 11:05:33 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0716.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::716]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9C2C159A3B for <openpgp-dt@ietf.org>; Tue, 17 May 2022 11:05:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PtuVecUdzYrK2DocUqUeuqA4DxG5R49sAmzaPPEexKDu+p0Bclw1YDpqjVdqj37TAmXAQMJfyr2D282wZkdzFXi5jVjyPJG5inwqmhb/4vyCA2nrYl4IjgijL9yC+DYthZ/PMxcw9bFE/+5CCvJLy7J3Q+Up1/ZBcTCzWiLf6dCwq1lfLJ1P3U57mA113o8yQsp+kDhSwFHmvpBjH8jC96yewcMvJeHDRD4qHJaY+5rO1NO5z51P8PL9iVkQk0txks2yCL1KjvsvrUhsTCuXKQhZqin1W+4FBGxxAF1NH/GwXIPbhx6A74R/gtdmK7VmHhSzazT2+u2JleCylAGlGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=u9wYceSBwjv08igPjY1TPtHgNjog9HPUOq8DZL51VsI=; b=eM9U0x03UM4vcf+Bt+dEWfZvsF+yPaxhXq6l3jg9iFUu6E3B0IXz4Rr4WGmcqNieSUzmZUnNnazQePwq4HJ9eEhco5kBhKw2xLX08oeWRxuSjnTWGruVLp37jpX2ao9DJvE75gE5S1mpwg0mCCyQ4mczz4sW8tw3j/kfDGOgUCein6Gnt8TnL1GrNB5I/4sYOHd+h9gh8OyNqzVibVv0aqwKY05tE5c02TmwTPYN/Tp8+bWRFHDiXAjp68uvTmvG9uqpKrIVSU5jyPagQy1eYbiC1VQqdE4fCGm8wYkvPWUWdw0BbyCqMllJvIdWUUTt0TxdXtSjStTifax9rlS6vA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u9wYceSBwjv08igPjY1TPtHgNjog9HPUOq8DZL51VsI=; b=arbwNxvSU/7POEdqDm0RXDjSxXLsjDdwsXwmQ4XtrhLtS3/WK8fYdeazLAzpQyyh1oKsU4k08CypyRVDINk9cyCjkFvArZaysapsNBrSKIYPYrla1/tZBVIrK64WL7ejFwMP/yB2c3T3DL+pmtBOXPbBh3ej4NY10DaTJyUkXdqeqO007NQ/VFfirCUPAjZ/xVUX2Nc5blL8KilWwPnn9KNth7bUApcpMvKFA9M2GVApeKM5WpmjWMLvMjS1bU607SGl5TWEeQX6qzpdUtbDkOjVHM76vLfD886yxHHI2zk5YYgBbf5pNoW3dNJ/QBpb7a+3wuuFK2a8vAVEMUtXLA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by VI1PR02MB5917.eurprd02.prod.outlook.com (2603:10a6:803:135::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5250.18; Tue, 17 May 2022 18:05:23 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::92f:cb0b:71d:b049]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::92f:cb0b:71d:b049%7]) with mapi id 15.20.5250.018; Tue, 17 May 2022 18:05:22 +0000
Message-ID: <3af2626c-4181-3e53-d891-c8eea88acfd2@cs.tcd.ie>
Date: Tue, 17 May 2022 19:05:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1
Content-Language: en-US
To: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp-dt@ietf.org
References: <97c8339b-7f69-acd3-1156-174b101b6d48@cs.tcd.ie> <etB94O_65nE-pDI6AbWREX21UcF-S-P7_VQmxGzvhHcLNLAE_pfGTBSa59ZdvqzMZE4_kJO9odnzyOdScnE2f1GfiHIEd3bOhB9SjWeZB2s=@protonmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <etB94O_65nE-pDI6AbWREX21UcF-S-P7_VQmxGzvhHcLNLAE_pfGTBSa59ZdvqzMZE4_kJO9odnzyOdScnE2f1GfiHIEd3bOhB9SjWeZB2s=@protonmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------k2w3wQwZBTXinpcDesKdlg98"
X-ClientProxiedBy: DB6PR0402CA0015.eurprd04.prod.outlook.com (2603:10a6:4:91::25) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8b7ceb3d-7cd4-4211-2f44-08da382fcfb6
X-MS-TrafficTypeDiagnostic: VI1PR02MB5917:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <VI1PR02MB5917FED4AE10D10F3FE679EBA8CE9@VI1PR02MB5917.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 9ahWOtG2L0igQAZx2XUdK1XzjbsWQpnrup4WrmZAePH+Ma8OQG/o9+XHWKCJsH+O7gvxycqoAxLTwWFsNVBJj3nGjWA9ihPk3kvCcIjTuf3c0e9WGolcjxMWePc+Vx9h6cfB4g7oo39MFJpqFk/u+8EOa9mSLbs9fbtsObvyNmGl27VfYDAqeMqVr1kd64nR3JxSE/obF4I0329EdEnEeC1/tDpEVSqdw6hFCOuUl4o+kF+jXiyYOwcJvvr93QFZFiqOy4vnxJy6fhjdhhOUhIqCBMkES8kPlxjGCec5+JEleD08B4uqRIM/AepjTu/oFs6hpMBDKHmNVnnMS2GqF0TVWDoE7YqYdwqdzjnPKjN8RM+/I3bvpX9tW8qkjv+qZWXZ8voN1wFRaifUAGi4gvswyHGh/HdkiFeq68ok2s8gSMRngBjAZ6Noh+89CZG2YXRYed2eHNvTitRDw25aJfZQCCGVGO2L2F8L5/7krX1xj7mgqfDz6d0YcMf5rIB42YQQVj8N1anrekJ3prlO7wxSL32/KpNRNCJBl2MP1tnqSY85P8RqUhFk1+vcoeZCSLbey58WwZnxIY5QRbKKTxyH1LK76kk48CdAAPa2EXR17tWejZy+JduOHzpJx0pdWy0rDdE/oDppM25rrFNfVC/yrDcRMIWgMSG4eW2vf6PgmIM17QrLmkOoTRm11kNLUfqqnZJdmUDrq88Y319EERp9chLNGsOQBbfaMIzyaK7gqO7B2WH7NT2JC4DC5M1bTGE59WhGlSO+KKS6sXH6zYJzjO9sVtm72ukAMl1yTc8owTWsBKWCH55IJtmo7vwmXO+Xaa/lyO9XSkYn5DyBoOAQG7si3d90wYJZ6AlkbPQ=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6916009)(83380400001)(235185007)(21480400003)(5660300002)(66476007)(66946007)(8936002)(44832011)(186003)(31686004)(36756003)(2616005)(33964004)(786003)(38100700002)(316002)(66556008)(6486002)(26005)(53546011)(4326008)(8676002)(31696002)(6506007)(6512007)(966005)(2906002)(508600001)(86362001)(15398625002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: iSsiVQIkZ92qSN4VI1/j6zKzwl909KJJdar8bYoZWyQ9yeOjPKXSyAz58uogieAokRe6s6rK0pTh4r98+yLSE2GQN58fSjR2kM9Wpk/6FtOTMjb7VHgH0R0Ch6cHxu2EjyHAWGl0/978ZuHzTwhEsuf7ae1e9y5C613XuJJaIFW5AkRHI9/c697tXqEdEhcpRBhFnPWbjqV7X16ttvS39Vf104AxvwYAPYpZFHtJH6SNIjvT5SWQJOFguCzPm1d2/jFV1kqSBKzwOJwBTpfAo4PPley1LoBoLCCxYKcYJMhq80pmxUCX9dNb+CYYpdHKYpnCyjvYa2FiU4kJV8D4DSYfMuMPFmgTo5iUGLjN+Q/8hqD+c+UmXqtIVhJQ1WDd2HWJMb3QQsDnMCYRYaFL3xER5gN5JsNoDXdPLRqVih6V/IEO7eCSO66/RqE8x6OT+yJOGzHgoV6jo7YhtQf7KnCvXP1ZNXuMEaPn0VNzrQ/kF/b0khqR34AHzdna28+BtXdkHe/15tXXp+Z/orW7TAvIeAmsJp6MRJWJKjN0dCMc1gLyNiJe0em+pQtli01Ql/b/VsiUgNfFmip0NbSeUh/G0cYNI8A+X7uEFhK6z1x9mD1jST24bXAHTJFNVJX3MdFJTzIzySY36nXgDQZQDFE6mIv9XGDhk2DByzTLdlBeBaSRIaprS6VSFr6hUB/IooHyDdyvQnaC6r/iZndR6yu+WsnbWGuLx489eHC2iWJWFOaVE2PmtdqUn2HcFAlegCvaCK/oVifQqIWYIJ31wiKs7MtM74386KVSYc6G3RvTH8gIBVSz2W6gLl5A8WxWyhCS7vne7Mj5k56qfgrEmYsybASWSGH3vkOV6yVxiiA9YhLPj1y8rS7pg2Bcxhx55qZ8PLR8DyC6dwErCekWmm0ZFZFXsbdgBYFlLMjazvfSTG6vg/WQJabeWmxg0X8xyDUG5u9ByBBSKqcrG5bKQynWqYzOoJGLjARV0yqLfCKi0bu0GI9Z5c9sYjTN8dGkQExgpIhC4WN++NNnPMTAwfYLQdOwix6CE2HWjiaHdRn4GMSPUSz0lPnZnrOBLD+RODMqULTT3PE9069v6icgm5v0hzV+fUIsjWa9KYwrdhqNCKIvQChwogGLlyREREo/UTmWQI/6LC7CgImGIGzS6t4J6MF6rUjThePqUQ49hUIB/9SC6W+7nH99palgCOvHaxZ1RG2sylKvuZoftQXCVtw7NrUT9eoBEBQW9RNLyDx8CBPkh5ydCIKAQFroVn7wt/81pWeczZlRi4h/aXFzxC0eCsSlqIKlzHbWCm8OAG4A13dzNBKJVamh969911wLxk+E3jNzCWW8F0lKAAF38HCigR/wXiyQMute+9M39xMf14PdFF8hQTLdhL6vSq1Gl3ZOlQ61zSbJkRFe+GwsaTqbmBT1FsnwvYELc4kWD+tkybTcVDZtSqXphoVdFs2JMhSRzx73tem7YXdhpi8PL+6Tx4GO5a5WS08TCS/gLPKJrPBTFSuL8dnvhk+XFW+K6EeAepqbNFVq3jM0DYU5uR+b7kbtRMC8ZTDPb1oDwgEEvkv5bnrrHZnVBbZ8S487I2LgiRx6kx8HFFj0IGRseF2u1xoyAU0YQFoRRB5QmXLa34INOeJ76UQILeCr5LMIKumKdw/m4ZhOTEYqMpFJSMksSmwfOZjF2HWLPExGV7/+sOT1Ow4MhGWC7paTdfzMGhmDdUDyiwi2G44SgFwZcQ==
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b7ceb3d-7cd4-4211-2f44-08da382fcfb6
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 May 2022 18:05:22.9069 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 9YnkOpZo9Kf7Iy9BDx3MNjeFAteDhD1zY2AhFG2tFuewfKJCU0h8vtDeqSxzs0oN
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR02MB5917
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp-dt/45HjHRJn7eCsraz35iiJmRh3Nf4>
Subject: Re: [Openpgp-dt] Additional AEAD key separation needed?
X-BeenThere: openpgp-dt@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenPGP working group design team <openpgp-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp-dt>, <mailto:openpgp-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp-dt/>
List-Post: <mailto:openpgp-dt@ietf.org>
List-Help: <mailto:openpgp-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp-dt>, <mailto:openpgp-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2022 18:05:37 -0000

Thanks Daniel, that's useful input. Bit more below...

On 17/05/2022 16:10, Daniel Huigens wrote:
> Hi there,
> 
>> The additional key separation is described in 5.5.3 [3] where
>> it says: "If the string-to-key usage octet is 253, the key
>> encryption key is derived using HKDF (see [RFC5869]) to provide key
>> separation."
> 
> The quoted section of the spec is for encrypted keys, while it's easiest
> to understand the change (and justification) from the section about
> messages, e.g. 5.14.2 [1], which also describes how HKDF is used and
> says that "The KDF mechanism provides key separation between cipher and
> AEAD algorithms." So I would quote that instead, unless Werner's
> complaint is specifically about encrypted keys (but I don't think
> it is, or at least if so it's not clear to me from the email).

Good point. I'll make that change.

> 
>> The justification is for better safety if the
>> same key is used with different AEAD modes, but in particular
>> GCM.
> 
>  From the phrasing, it sounds somewhat like the attack can be prevented
> by the sender (by not using the same key with different AEAD modes),
> but the AEAD mode of a message could be controlled by an attacker; so I
> would say something like "... if a key is used with a different AEAD
> mode than intended ...". I would perhaps quote [2] for the description
> of this attack and the possible countermeasures in section 3.2.

Will do.

> 
>> The counter-argument is that such separation isn't needed
>> for OCB (it was added for GCM) and that OCB code has been
>> deployed with existing ciphertexts out there already so
>> this change breaks interop for no real benefit.
> 
> Here I would perhaps just mention that the original reason to add GCM
> was for FIPS compliance reasons, based on a suggestion at IETF 112.
> Additionally, at least for asymmetrically encrypted messages we didn't
> break interop (since we specified v2 SEIPD instead of the AEAD packet),
> and I think those are the main/only ones that are "out there already".
> But, I can also bring this up on the mailing list instead once you send
> the email, of course; as I suppose whether or not this is the case is
> quite central to this discussion.

Yeah, I think those points would be better as part of the
discussion on the list if that's ok.

Cheers,
S.

> 
> Best,
> Daniel
> 
> [1]: https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-05#section-5.14.2
> [2]: https://www.ndss-symposium.org/wp-content/uploads/2017/09/10_4_0.pdf

v2.23.0 | Report a Bug | By Email