Re: [openpgp] [PATCH] Updated S2K
Werner Koch <wk@gnupg.org> Tue, 09 April 2019 06:10 UTC
Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14669120772 for <openpgp@ietfa.amsl.com>; Mon, 8 Apr 2019 23:10:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DgjHcmOTUMJy for <openpgp@ietfa.amsl.com>; Mon, 8 Apr 2019 23:10:10 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C711120777 for <openpgp@ietf.org>; Mon, 8 Apr 2019 23:10:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wNrdJZQIcOOnfrT7Tu894HrLB/TitJUuS0Ke3xb09Nw=; b=CG7j8fTFXPfd/nPOlUeFNGKwH4 IvorGXM9kKheiUxVVz83JPJ6d1gRlxdnM+bSVsvsudS+jeOH12j5+MpvSw0Yn0qXRM2N/uWRV7rS5 wWKbRcRofTb3H7EVyW6txA/zVmEj1oL95i1X4BOXSeuLn49y2dLVmHhUWsIoSL8LBknk=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1hDjxQ-0006iM-W1 for <openpgp@ietf.org>; Tue, 09 Apr 2019 08:10:09 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1hDjul-0006ql-5Q; Tue, 09 Apr 2019 08:07:23 +0200
From: Werner Koch <wk@gnupg.org>
To: Nils Durner <ndurner=40googlemail.com@dmarc.ietf.org>
Cc: openpgp@ietf.org
References: <CAOyHO0zz3PdWpsX=7mcT370WSmR_Cn7Er19zQ8P056XFa-3y9Q@mail.gmail.com>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: Nils Durner <ndurner=40googlemail.com@dmarc.ietf.org>, openpgp@ietf.org
Date: Tue, 09 Apr 2019 08:07:17 +0200
In-Reply-To: <CAOyHO0zz3PdWpsX=7mcT370WSmR_Cn7Er19zQ8P056XFa-3y9Q@mail.gmail.com> (Nils Durner's message of "Mon, 8 Apr 2019 22:14:47 +0200")
Message-ID: <875zrnn23u.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=Dateline_Meth_Lab_spook_Brute_forcing_NRC_Cyber_attack_MIT-LL_Plume="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/9ghAFSjywQsCnOyUzOYybD5VytI>
Subject: Re: [openpgp] [PATCH] Updated S2K
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2019 06:10:16 -0000
On Mon, 8 Apr 2019 22:14, ndurner=40googlemail.com@dmarc.ietf.org said: > 3 Iterated and Salted S2K > + 4 Argon2i I do not think that adding a new S2K algorithm is useful: The major use cases for OpenPGP are public key operations. Here we do not require an S2K algorithm at all. The S2K is used for the Transferable Secret Keys which should be a operations performed with all due diligence: It is better to use a secure channel and best a symmetric encryption based on a full entropy key. Without a pairing algorithm it is often better to write down the key and employ a courier instead of relying on a weak passphrase and resource intensive KDF. The KDF would anyway be needed to be parametrized in a way that it can be used for export or import on a low end machine. This is a case by case decision and we would be better off to not extend the Transferable Secret Keys format with new methods but use the existing OpenPGP symmetric key formats. The other use for an S2K is symmetric encryption. OpenPGP has only basic support for this and does not provide any key management functions for this. Eventual we will need to add such functions to OpenPGP to make symmetric encryption a first class citizen of OpenPGP. Right now the secure choice you have is to use a full-entropy passphrase and store it in a separate symmetric key database. In fact this is a real world use case of gpg. I doubt that a Argon2i is in any way helpful here because it convoys the message that a low-entropy passphrase along with a resource hungry KDF is an alternative for a secure passphrase. > -Implementations SHOULD use salted or iterated-and-salted S2K > -specifiers, as simple S2K specifiers are more vulnerable to dictionary > -attacks. > +Implementations MUST generate S2K specifiers that include salts > +(either type 1, 3 or 4), as simple S2K specifiers are more vulnerable to The SHOULD is there for a reason: Taking a full-entropy passphrase out of a database does not require any salt. It even demands the fastest KDF we can provide. This has been discussed in the past. > + <reference anchor='Argon2i' > + target='https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-04'> This is not a useful reference: It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
- [openpgp] [PATCH] Updated S2K Nils Durner
- Re: [openpgp] [PATCH] Updated S2K Werner Koch
- Re: [openpgp] [PATCH] Updated S2K Peter Gutmann
- Re: [openpgp] [PATCH] Updated S2K Nils Durner
- Re: [openpgp] [PATCH] Updated S2K Marcus Brinkmann
- Re: [openpgp] [PATCH] Updated S2K Benjamin Kaduk