Re: [openpgp] Disadvantages of Salted Signatures

Nickolay Olshevsky <o.nickolay@gmail.com> Wed, 13 December 2023 12:17 UTC

Return-Path: <o.nickolay@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A1BC14F603 for <openpgp@ietfa.amsl.com>; Wed, 13 Dec 2023 04:17:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ABxZeIAawbmi for <openpgp@ietfa.amsl.com>; Wed, 13 Dec 2023 04:17:06 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E04BC14F5E5 for <openpgp@ietf.org>; Wed, 13 Dec 2023 04:17:06 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-54cd8f5bb5cso8697934a12.1 for <openpgp@ietf.org>; Wed, 13 Dec 2023 04:17:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702469824; x=1703074624; darn=ietf.org; h=content-transfer-encoding:in-reply-to:autocrypt:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=XZhu+R1X7HIMpve/Zkvg1ELc+zf6qF6obM6iyo5P8X4=; b=Djzou0iMe2HyueMXxYsreCO3Ht6EF5aqf2VD84PBgCKazRHGm6kK797pMVxxWqFTP7 2qBLx57yccyrsDyJpxiq6nyGVkB0WjE9JFbqdAsI50JRilJLpRhl+hvNHXdy6An0m21R rh6rwmPUKNeKMF2lEP9vrgg4JbOv140azYhVr8/RxI1Loj42eVJFowjdvpdaYs5RdwCV Ib+pbaGbquLmdXnR9hUqCvxc0EnGGykf5MzjRbKv9DkwMynNgx1IoUO2jcc3PaGjYnx+ kQ/bXlm3AKFvfH905k5lZQkZ3HMfqmO77Rs9GBeQUoZDtoxsZDyVSzpO+4BoR/Bu1zAy 1j+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702469824; x=1703074624; h=content-transfer-encoding:in-reply-to:autocrypt:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XZhu+R1X7HIMpve/Zkvg1ELc+zf6qF6obM6iyo5P8X4=; b=EaQRk+D4P+wNVpa/I4qbseI9NwesSr69ZP5BAZ7DOHNX7Azpn3RLWaBoYEvfgMuSiS a7Q84oZMQQezccmewBF6B7S/FYhE48oZWm9hypaWaYGz6/Suh7RRJcoxfbSKgEojVArC f+tywcIZsySFpZrV4dxyzFc+a1YhoQTvg2ikkDYTpjavBvrhWgNpmOIdLeVX1r0z4KgN kNPknomRRB9lHJWuUiwuEUHk51yeMtxU4eGRhvtx62qnXLWX6wm3zFnB+VQVCSCVlhec 9P62Aft3vRdkhNUhSRgpE9hEIDWXSn/VBwQihsD7j9X2ALbHsoQE4Vjwb9ctcsCZPIY2 PCQw==
X-Gm-Message-State: AOJu0Ywh9NY+CRt7ZE4dbZE9fpQs0s+zTLXKdSljuVonJYl6uKaSCZ49 VYXK/qeEzBFiab+hE0InR5pjudVRRC4=
X-Google-Smtp-Source: AGHT+IH4Ig88YMUggHxuC2JKtIeQTB1dCtZS+Zhh/Bj8diPsVRAUxFTgZZUubAXTS0Iqh3xBaZ7xPw==
X-Received: by 2002:a17:906:30ca:b0:a1e:997a:574f with SMTP id b10-20020a17090630ca00b00a1e997a574fmr3400584ejb.122.1702469823581; Wed, 13 Dec 2023 04:17:03 -0800 (PST)
Received: from [192.168.88.164] ([46.229.60.139]) by smtp.gmail.com with ESMTPSA id rd12-20020a170907a28c00b00a097c5162b0sm7599778ejc.87.2023.12.13.04.17.02 for <openpgp@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Dec 2023 04:17:03 -0800 (PST)
Message-ID: <ba75b1b3-2b57-440e-ba6e-e9629bc9cf6b@gmail.com>
Date: Wed, 13 Dec 2023 14:17:02 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
To: openpgp@ietf.org
References: <077dd27cef0c7d3968967fc4c3a880081b8bd9dd.camel@posteo.de> <87jzplrtfy.wl-neal@walfield.org> <87bd4895386b3a0cd0c62429b0b85df6f1860da2.camel@posteo.de> <db25c5b9-0d08-4b45-85c9-49b8277d80ec@gmail.com> <875y13sooh.wl-neal@walfield.org>
From: Nickolay Olshevsky <o.nickolay@gmail.com>
Autocrypt: addr=o.nickolay@gmail.com; keydata= xm8EXrEsexMFK4EEACIDAwQqzVDrNPoyfcq4glxNmTEa0OCh1pmY/CcnrJb/bd9Cqi5eCOjF rTHjdY7SMXH5KQlrcQJwjiuyecr8S+GzUnKbE7fYjrg0YjhXr9SzA0xQ7rN1EanYl0lK6m21 zCjitOjNKU5pY2tvbGF5IE9sc2hldnNreSA8by5uaWNrb2xheUBnbWFpbC5jb20+wrkEExMJ AEECGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGQEWIQRGfUTJeA+FOnu7NUq4LmkIQ+XE IwUCYrGmagUJB8Lg7wAKCRC4LmkIQ+XEI0iYAX0Ys7QcBnSCRI4OXE3AIBXafwO7oV+0NDxL eokgj1Ij2A9AbAVS4fo1eH0AMhg7ZioBgJDBYDIFljrGDWnmPZ8QSqfr79BPwInndqPbrrxH 0NiqzttaxqxXQkhoGfRUIhQcM85zBF6xLHsSBSuBBAAiAwMEHRW8a30kMl2MaIulUJfAM1wM AmmUnSRIcbR2dbjzqz4FNl6kLlvy0zXdtW6fiiWtX9LKUuazQPV9q4tSkkSlPOzKVsx3eE4X 3HjUD6ZDN13dd3Gd72km/4gV7LolU7g5AwEJCMKeBBgTCQAmAhsMFiEERn1EyXgPhTp7uzVK uC5pCEPlxCMFAmKxposFCQfC4RAACgkQuC5pCEPlxCOonQGAzzZukeMuAgLmkP9lUvH0JAfQ ENuwDmGF5kHAhAsYYMeQarg1CtOsosCjYusjLZZYAYDUOpI5VGATb3JTm38FdjUWb8QwlEym r1YeKy3FePmtNF2jXmIcIwqwhj1p39xdFGc=
In-Reply-To: <875y13sooh.wl-neal@walfield.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/1OD5_x-vWJKR8JjVyqeOwC_f2a4>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2023 12:17:10 -0000

This may be overriden with some wording like 'If 'salt' subpacket is 
present in signature, it's contents must be fed to the hash context 
before starting to hash all other signature's fields'.

On 12.12.2023 12:25, Neal H. Walfield wrote:
>
>> As far as I  remember there were proposal of adding some 'salt' signature subpacket, which would serve exactly same purpose.
>>
>> This would work in both cases: if implementation needs salt, it would add it as subpacket, or do not add otherwise.
> There's an important, but subtle difference between using the salt as
> specified in the crypto-refresh, and putting the salt in a subpacket.
> In the crypto refresh, the salt is placed at the very start:
>
>    When creating or verifying a v6 signature, the salt is fed into the
>    hash context before any other data.
>
>    https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.4-2
>
> Putting the salt in a subpacket means that there is still some data
> that an attacker can predict and potentially control, which means it
> doesn't preclude a chosen prefix attack.

-- 
   Best regards,
   Nickolay Olshevsky
   o.nickolay@gmail.com