IETF Logo Mail Archive

Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)

Bruce Walzer <bwalzer@59.ca> Wed, 27 July 2022 15:43 UTC

Return-Path: <bwalzer@59.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C1FC13CCF8 for <openpgp@ietfa.amsl.com>; Wed, 27 Jul 2022 08:43:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHBwV9EbrA5W for <openpgp@ietfa.amsl.com>; Wed, 27 Jul 2022 08:42:57 -0700 (PDT)
Received: from mail.59.ca (mail.59.ca [205.200.229.83]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C05A0C136324 for <openpgp@ietf.org>; Wed, 27 Jul 2022 08:42:56 -0700 (PDT)
Received: from [104.246.140.18] (helo=watt.59.ca) by mail.59.ca with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bwalzer@59.ca>) id 1oGjBV-000Ec5-Am; Wed, 27 Jul 2022 10:42:53 -0500
Date: Wed, 27 Jul 2022 10:42:51 -0500
From: Bruce Walzer <bwalzer@59.ca>
To: Justus Winter <justus@sequoia-pgp.org>
Cc: openpgp@ietf.org
Message-ID: <YuFc+w02FiRQmHcg@watt.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87edy7keb6.fsf@thinkbox>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2DBXfcmiyGFmT3h6mXrQCpxCXA8>
Subject: Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 15:43:03 -0000

On Tue, Jul 26, 2022 at 06:51:25PM +0200, Justus Winter wrote:
> Bruce Walzer <bwalzer@59.ca> writes:
> 
> > The Argon2 proposal seems incomplete (Draft 6)
> >
> > This fell out of a discussion on a different thread. I think I can now
> > express this in a more coherent way.
> 
> Don't split threads like that.  At best it looks like an obvious attempt
> of leaving the dissenting voices behind.

That was not my intent. My experience has been that where an incorrect
fact has become woven into a discussion that it is better to start
over with the correction as part of the initial assertions than to try
to detangle the exiting discussion. The incorrect fact in this case is
that Argon2 will work in some sort of slower degraded mode in the case
where not enough memory is available.

[...]

> > OpenPGP is a messaging standard and has to be such that
> > interoperability is possible between different systems. That is at
> > odds with normal Argon2 usage.
> 
> If you are doing pre-shared key encryption, you have to communicate the
> key to the recipient, hence you do know in what context the data will be
> decrypted.

How would this work in practice? Would we ask the user for the Argon2 parameters at encryption time?

    Enter passphrase: ***********************
    Enter memory available for decryption (KiB): 2000
    Enter execution threads available for decryption: 8
    Enter passes for decryption: 3

> Even if you don't, let's say you are archiving some data,
> experience tells us that available memory will grow, not shrink, so
> whatever memory you can supply now for the encryption, you can be sure
> that the future recipient will have enough to decrypt it.

Memory here is the memory available to the task, not the overall
system. Restricting that memory is all the rage these days because of
containerization/virtualization and on mobile to overcome the effects
of misbehaving apps.

> 
> > I think that more work needs to be done here to generate a valid
> > proposal. At this point it is not clear to me that such a proposal is
> > even possible. We might have to in the end consider other
> > approaches. As it is, we are basically dumping a complicated
> > technology into a long term standard with all the knobs exposed with
> > the hope that someone will come along later and find an effective use
> > for it.
> 
> It is not complicated.  It is not new.  It is widely implemented, and
> the RFC gives recommendation for the parameters.

Multiple, widely different recommendations.

> Note that for the
> legacy S2K mechanisms, even though there are multiple knobs, the RFC
> gives no guidance whatsoever.

The only relevant knob is the count for "Iterated and Salted S2K"
which directly maps to CPU difficulty. One degree of freedom is much
easier to deal with than several. 

> 
> If you have a counter-proposal for a password-to-key derivation
> mechanism, please produce a constructive proposal.

It is probably just me, but the general subject of improved S2K
schemes feels like something that should be discussed in a new
thread. :)

Bruce

v2.23.0 | Report a Bug | By Email