Re: [openpgp] First remarks on the last I-D
"brian m. carlson" <sandals@crustytoothpaste.net> Fri, 10 June 2022 22:25 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3121C157B50 for <openpgp@ietfa.amsl.com>; Fri, 10 Jun 2022 15:25:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbXqFjG4SsUY for <openpgp@ietfa.amsl.com>; Fri, 10 Jun 2022 15:25:11 -0700 (PDT)
Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [IPv6:2600:3c04::f03c:92ff:fe9e:c6d8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 576BAC14F736 for <openpgp@ietf.org>; Fri, 10 Jun 2022 15:25:11 -0700 (PDT)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:3231:9f8e:45c7:e809]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 8D28B5A26C for <openpgp@ietf.org>; Fri, 10 Jun 2022 22:25:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1654899909; bh=IUps3+46JVPpCkM1573Or0VFfGjx+qaQvv0NTs3d5Rw=; h=Date:From:To:Subject:References:Content-Type:Content-Disposition: In-Reply-To:From:Reply-To:Subject:Date:To:CC:Resent-Date: Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=rPHZNuhJDZWOdOUNhzQjP9GZ/X1PGfgGt9CxQy1mkA392ns8GrcSKk/5KSsJ0leGF Z569ZnJ3e7t654yYRb1avs6ZTMUOFXjoHRlfGx2kzlBnuVEwe0s6yE7+gGc8fs2gMB rT8ookG58qh1V76piALz8Cs+x+awG8WqM9jeineNiMV40fpvI75mqhFtB34aGBT3Vq yOR3323zKUYyVlJvqRQQpDXy5KMkWuhYc6sPJyDSKJsp6RJSjWA7hN5pIUg5QBbd9S pFQl4B1if1ZIZwKxwzIFXfoIn3Rn2Uras69kIRqPbPXY2EWXy3tgVqP9A40iW1kkdd vH8flOo/Mj95+HkHKW6O71I0w4NsSRBqDQlNKW3IUJlXkd8WU2IdKKiIK6/NYy5UET ahjw0ZDYK4BayL/AzjyC/7xLf+DTa4Uoq2X2AzF5vmUDi29iP573t/v0qb90iWrH6e 8DquctabwBSw22JttahcpUZ2zdz9fJI+gt7bheuUKvF5391F+hK
Date: Fri, 10 Jun 2022 22:25:07 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <YqPEw8OIlf0PG40T@camp.crustytoothpaste.net>
References: <BB9D0AB9-CC8C-420E-8082-E9F64B09BF46@ribose.com> <790E2D75-3B92-4322-A72A-DC8ABED899BF@nohats.ca> <87czfji7w1.fsf@wheatstone.g10code.de> <18396bf2-5319-87c3-095e-f804632618f2@cs.tcd.ie> <5100C338-C6DC-4BB1-86A4-DAC353AA82CC@icloud.com> <7547a547-bb71-2bdd-f85e-91d46476bc6@nohats.ca> <54B2F360-C996-4A5D-BE3D-6EA405406C68@icloud.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Ei5sgs1YzcDxt+sW"
Content-Disposition: inline
In-Reply-To: <54B2F360-C996-4A5D-BE3D-6EA405406C68@icloud.com>
User-Agent: Mutt/2.2.4 (2022-04-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/29sXv3SOuT8wjtuL98uvjxyJIPo>
Subject: Re: [openpgp] First remarks on the last I-D
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2022 22:25:16 -0000
On 2022-06-10 at 21:28:52, Jon Callas wrote: > > > > On Jun 10, 2022, at 06:54, Paul Wouters <paul@nohats.ca> wrote: > > > > On Wed, 8 Jun 2022, Jon Callas wrote: > > > >> However, GCM mode is not required for FIPS. It is neither necessary > >> nor sufficient. PGP was the very first software-only FIPS 140 > >> module, over twenty years ago. If someone is claiming that they > >> need GCM mode for FIPS, they're mistaken. > > > > Well, if that FIPS compliance was achieved with 3DES, at this point that would be > > a problem as 3DES has been sunset. What non-GCM encryption algorithm is > > FIPS approved and supported by OpenPGP ? > > AES is a FIPS algorithm and has been for some time. NIST is in favor > of it. Forgive me for being pedantic, but GCM is a mode -- and there > are documents which I just found by typing "fips 140 modes of > encryption" into a search engine, where it tells me that for AES: > > AES-CCM is approved (SP800-38C), as is CMAC (SP800-38B), and HMAC via > FIPS 198-1 via SP800-107. CCM is essentially CTR with CBC-MAC. GCM is essentially CTR with a polynomial Carter-Wegman-style MAC. They both suffer from the exact same problem of nonce reuse because in both cases the CTR part leaks the plaintext. If we decide we like CCM better, that's fine. I'm not picky here. GCM is typically faster on modern hardware and it's online, so it's easier to encrypt data in large chunks, but CCM can be made to work here. We should not try to synthesize other modes out of the approved modes, though. For example, OCB has separate security proofs, and folks who need FIPS compliance are almost certainly not going to get an approval from the extremely bureaucratic agency doing the FIPS validation if it's not pretty clearly an approved mode. > >> And for what it's worth, I'm also against using GCM mode for > >> storage encryption in particular, and thus in OpenPGP. > > > > Noted. This is good to know. > > In general, I think one should not be doing stream modes for storage, > and the reason is nonce reuse. In the case of GHASH and thus GCM, the > issue is that reusing a nonce breaks all MACs in the future and in the > past. When one is doing streaming, breaking a past nonce isn't a big > deal. However in storage, this is different. If someone accidentally > reuses a nonce, the past break means that things already written can > be undetectably modified. This is why the lot of us really, really get > cranky about GCM. It would be much better to use CCM (because it was > explicitly created to be a non-IP mode) or OCB (which is what we all > want to use anyway, and it's faster than GCM). And yes, yes, there are > also things like SIV. Here's the problem with that argument: in every case where OpenPGP generates a nonce, it also generates a session key. If the implementation has broken nonce behaviour, they probably also have broken secret key generation behaviour, and the security is already compromised. As long as the user has provided a unique salt for the SEIDP with the given key (and the key is securely generated), then the use of HKDF guarantees that the key and nonce are effectively independent and the construction is secure. That makes the risk of nonce-related problems lower as long as the session key is secure. I do want to be clear that I think OCB is fine and preferred here. I don't think that anybody is saying that GCM is the desired mode for everyday use. (Similarly, I think EdDSA is typically preferred over ECDSA with NIST curves.) I clearly don't think FIPS-compliant cryptography is the desired configuration for everyday use. However, it's there for people who have certain, specific needs that please government agencies, and for the rest of us, we don't ever have to use it. We can even say that implementations SHOULD use a mode other than GCM if we like. > I think that for storage of things like keys, it's better to do an > HMAC or CMAC on top of CFB (since OpenPGP is full of that) or use > CBC+CTS (which resolves padding issues). CFB is not very commonly implemented in cryptographic libraries these days, while GCM and CCM are. Ciphertext stealing can be done in three different ways, and many cryptographic libraries don't support that with CBC, so implementing it correctly is a giant hassle. I personally hate CBC with a passion because verifying padding is terrible and CTS is hard to implement. While I am personally a fan of the CTR+HMAC constructions because they are trivial to implement and constant time with a constant time block cipher, the benefit to using an actual AEAD construction is that if one uses a suitable cryptographic library, the implementation may prevent the release of plaintext if the tag is incorrect. I think there's substantial value to using an existing AEAD implementation which is probably implemented correctly than requiring people to construct one themselves, where security-relevant implementation errors are more likely, and that the benefits to that outweigh the downsides of GCM or CCM. -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA
- [openpgp] I-D Action: draft-ietf-openpgp-crypto-r… internet-drafts
- Re: [openpgp] I-D Action: draft-ietf-openpgp-cryp… Paul Wouters
- [openpgp] First remarks on the last I-D (Was: I-D… Werner Koch
- Re: [openpgp] First remarks on the last I-D (Was:… Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… Justus Winter
- Re: [openpgp] First remarks on the last I-D (Was:… Stephen Farrell
- Re: [openpgp] First remarks on the last I-D (Was:… Daniel Huigens
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Ronald Tse
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… brian m. carlson
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D brian m. carlson
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Paul Schaub
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Daniel Huigens
- [openpgp] AEAD and Rome (was: First remarks on th… Werner Koch
- Re: [openpgp] AEAD and Rome (was: First remarks o… Daniel Huigens
- [openpgp] Choices for AEAD modes [was: AEAD and R… Daniel Kahn Gillmor
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Justus Winter
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Paul Wouters
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… brian m. carlson
- Re: [openpgp] Choices for AEAD modes Ronald Tse
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes Stephen Farrell