Re: [openpgp] Partial review of the crypto refresh

Marcus Brinkmann <marcus.brinkmann@rub.de> Fri, 25 November 2022 19:38 UTC

Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFFCBC14CE47 for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 11:38:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GN8wQHmSJk1e for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 11:38:43 -0800 (PST)
Received: from out2.mail.ruhr-uni-bochum.de (out2.mail.ruhr-uni-bochum.de [134.147.42.229]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC29FC14F738 for <openpgp@ietf.org>; Fri, 25 Nov 2022 11:38:43 -0800 (PST)
Received: from mx2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out2.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4NJlXb6vGKz8SMb; Fri, 25 Nov 2022 20:38:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1669405120; bh=hfANqboCb1fdat18404/XJSwdq7dunD1YvSAwFHqYxg=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=FxOfm8d59B+8Ye6bMQqlzuLTabNf6k8jFFKKktmsNWWYhtw9cFor1KCpFmFe3N3BJ s0iRKd7M0iQltLxARikE0iemDdFSFpZhSB0d7viIYC4sBpqL9LJhmi/EIrs7QxHTRO twg7EXyIu70etlNg8F+JM15jxDo1Vg0I4Z98p/G4=
Received: from out2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx2.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4NJlXb67f8z8SLC; Fri, 25 Nov 2022 20:38:39 +0100 (CET)
X-Envelope-Sender: <marcus.brinkmann@rub.de>
X-RUB-Notes: Internal origin=134.147.42.236
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de [134.147.42.236]) by out2.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 4NJlXb3Mlqz8SLm; Fri, 25 Nov 2022 20:38:39 +0100 (CET)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.7 at mx2.mail.ruhr-uni-bochum.de
Received: from smtpclient.apple (unknown [IPv6:2a02:908:a65:4460:15ba:319e:c88c:d6b3]) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4NJlXZ544kzDh0r; Fri, 25 Nov 2022 20:38:38 +0100 (CET)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.105.0 at mail2.mail.ruhr-uni-bochum.de
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
In-Reply-To: <d1276cfa-e060-a8f2-6266-cade9bc53c22@nohats.ca>
Date: Fri, 25 Nov 2022 20:38:38 +0100
Cc: Daniel Huigens <d.huigens@protonmail.com>, IETF OpenPGP WG <openpgp@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CB4B9161-F748-4876-BEDB-C30D26A48C3D@rub.de>
References: <HniDSkOrqQhzJeIb0B_7yLgQjsIDVZZdGPnwttTdfpk4LCN7B4Nh1J6xzv1eZIV-OR6UemykSEdao4pWe5gFfr5BUWhEfHX8mdj6Jhla6xg=@protonmail.com> <3E09FE42-EA91-4F43-804C-2718B8383F53@rub.de> <d1276cfa-e060-a8f2-6266-cade9bc53c22@nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/7Jz6QImQpHUA2wlSVvWFADBTCDE>
Subject: Re: [openpgp] Partial review of the crypto refresh
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 19:38:49 -0000

Hi,

> Am 25.11.2022 um 18:15 schrieb Paul Wouters <paul@nohats.ca>:
> 
> On Fri, 25 Nov 2022, Marcus Brinkmann wrote:
> 
>> The count consists of a "mantisse" between 16 and 31, and an exponent (to basis 2) between 6 and 21. The total count is mantisse*2^exponent, which is a
>> number between 1024 and 65,011,712. With a blocksize of 512 bits (SHA-1, SHA-2), we have to divide by 64, giving an iteration count of up to approx. 1M.
>> Computing SHA-1 can be done very quickly using standard CPUs (~100MH/s), GPUs (~20 GH/s), and dedicated ASICs (such as used for Bitcoin mining, total
>> network capacity ~160 Million TeraHash/s!). We can now compute how hard it is to brute-force a PGP password. With a single GPU (such as an RTX3090 with 23
>> GH/s) and 1M H/Password, we are looking at 2.3M password guesses per second. A stronger hash function only reduces this by a small factor (SHA-256: Faktor
>> 2.3, SHA-512: Faktor 7), but really the only viable option here is a much stronger password. Using a uniformly distributed random password from a
>> 64-letter alphabet (a-zA-Z0-9+/) and a password length of 14 characters (= 2^84 passwords), you can pretty much ignore the PGP S2K settings for now
>> (ignoring QC).
>> Suggestion:
>>   If Argon2 is not available, Iterated and Salted S2K MAY be used if
>>   care is taken to use a high octet count and a strong passphrase.
>>   However, this method does not provide memory-hardness, unlike Argon2.
> 
> Any reason not to suggest 14 instead of "high" ? or say "high octect (14
> or more) ?

Ok, this is confusing so we should find a different wording. The octet count I understood to refer to the exponent and mantisse of the S2K iteration count, which must depend on the computing power. The 14 I gave is the password length and depends on the alphabet. We should probably spell this out in more words, but the exact numbers are very use case dependent, so we can’t really give concrete numbers in the standard I think. Maybe give an example?

Thanks,
Marcus

—
Dipl.-Math. Marcus Brinkmann

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum

Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann