IETF Logo Mail Archive

Re: [openpgp] New S2K specifiers?

Jon Callas <joncallas@icloud.com> Tue, 02 April 2019 03:32 UTC

Return-Path: <joncallas@icloud.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC8F51200D7 for <openpgp@ietfa.amsl.com>; Mon, 1 Apr 2019 20:32:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Level:
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, KHOP_DYNAMIC=0.85, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RYm-zlejlXkC for <openpgp@ietfa.amsl.com>; Mon, 1 Apr 2019 20:32:06 -0700 (PDT)
Received: from mr85p00im-ztdg06021801.me.com (mr85p00im-ztdg06021801.me.com [17.58.23.195]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1573712001E for <openpgp@ietf.org>; Mon, 1 Apr 2019 20:32:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=04042017; t=1554175925; bh=RvA4Zpv8cA7XQiFR+DeAHd61tBk86q2O5Odxc4Rel+4=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=SACXe8KcEqKEhxWMmwNlfs4ATNPkzXvJeARibejlzOUu8eL2MZJg3wwZxeQzdH3Hw CcvjQBT/xl/ICYPxfA9uGcw37gAsxamJe96N7nBOAL5N3cmF78LTXa7y1Lp8q02fgp RdoR9lUbEGOaBExblQ17Mkx9L81U/hnKnxA2dScB2P9O2vVHVAhp3/+q4aGolWRAsx 8Xn+on7x74I8dWiYjdzleCwZHOPzKIiH8rNxQPhCn4W2Sa9Rq+XDhA/GGkSOBeIcAQ S3aAzUnF1EYIIi2bqv4s9OvxND0qWx3C3yqn2I9m2rO7YIG64YFuQJgZwcpvl4uscH JRO9Ihn6e0n4A==
Received: from [192.168.7.69] (thing1.merrymeet.com [173.164.244.99]) by mr85p00im-ztdg06021801.me.com (Postfix) with ESMTPSA id 10CD3180057; Tue, 2 Apr 2019 03:32:05 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Jon Callas <joncallas@icloud.com>
In-Reply-To: <20190331121024.cgta3emx6vefex6x@aurora.local.incenp.org>
Date: Mon, 01 Apr 2019 20:32:04 -0700
Cc: Jon Callas <joncallas@icloud.com>, openpgp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B855F074-0696-407C-8542-809456CF3B1D@icloud.com>
References: <20190331121024.cgta3emx6vefex6x@aurora.local.incenp.org>
To: Damien Goutte-Gattat <dgouttegattat=40incenp.org@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-02_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1812120000 definitions=main-1904020024
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/54WB8OFCp1HrpsEdqAM4jXUraJU>
Subject: Re: [openpgp] New S2K specifiers?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 03:32:08 -0000

> 
> * Is there any interest for a “more modern” S2K, or is the
>  Iterated+Salted S2K still considered fine enough for RFC4880bis?

I’d love to see it modernized. I despise the present S2K function. I recognize that most of my reaction is not entirely rational, but I still despise it.

I know that what I despise about it is the stupid one-byte floating point number for the “count” and the fact that the count is a number of bytes generated, which means that it has massively different characteristics if you change the hash function. 

(Consider the same count with SHA256 and SHA512. Since it is a byte count, you end up with half the number of iterations of SHA512 as SHA256, and on a 64-bit CPU, they run at more or less the same speed with SHA512 often marginally faster. This is completely counter-intuitive.)

From a security standpoint, though, there’s no real advantage to PBKDF2, even if it’s better architected.

So all in all, as much as I’d like to do something, keeping the existing one is good enough.



> 
> * If we want a more modern S2K, then is Argon2i the right choice?

I view this as primarily an implementation issue.

If I were to write that section, I’d put both Argon2i and Argon2d in. There are reasons to go with either, and I’d leave that to the implementation.

Interoperability matters only when you transfer keys from one implementation to another, and as time goes on that is less and less of a problem. (And the grumpy part of me says that if you’re going to transfer to some new implementation, maybe you want a new key, anyway even as I know that’s not friendly.)

I believe it’s important also to have something that is merely a spin loop, like the present iterated+salted or PBKDF2.

	Jon

v2.23.0 | Report a Bug | By Email