IETF Logo Mail Archive

Re: [openpgp] [PATCH] Updated S2K

Werner Koch <wk@gnupg.org> Tue, 09 April 2019 06:10 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14669120772 for <openpgp@ietfa.amsl.com>; Mon, 8 Apr 2019 23:10:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DgjHcmOTUMJy for <openpgp@ietfa.amsl.com>; Mon, 8 Apr 2019 23:10:10 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C711120777 for <openpgp@ietf.org>; Mon, 8 Apr 2019 23:10:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wNrdJZQIcOOnfrT7Tu894HrLB/TitJUuS0Ke3xb09Nw=; b=CG7j8fTFXPfd/nPOlUeFNGKwH4 IvorGXM9kKheiUxVVz83JPJ6d1gRlxdnM+bSVsvsudS+jeOH12j5+MpvSw0Yn0qXRM2N/uWRV7rS5 wWKbRcRofTb3H7EVyW6txA/zVmEj1oL95i1X4BOXSeuLn49y2dLVmHhUWsIoSL8LBknk=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1hDjxQ-0006iM-W1 for <openpgp@ietf.org>; Tue, 09 Apr 2019 08:10:09 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1hDjul-0006ql-5Q; Tue, 09 Apr 2019 08:07:23 +0200
From: Werner Koch <wk@gnupg.org>
To: Nils Durner <ndurner=40googlemail.com@dmarc.ietf.org>
Cc: openpgp@ietf.org
References: <CAOyHO0zz3PdWpsX=7mcT370WSmR_Cn7Er19zQ8P056XFa-3y9Q@mail.gmail.com>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: Nils Durner <ndurner=40googlemail.com@dmarc.ietf.org>, openpgp@ietf.org
Date: Tue, 09 Apr 2019 08:07:17 +0200
In-Reply-To: <CAOyHO0zz3PdWpsX=7mcT370WSmR_Cn7Er19zQ8P056XFa-3y9Q@mail.gmail.com> (Nils Durner's message of "Mon, 8 Apr 2019 22:14:47 +0200")
Message-ID: <875zrnn23u.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=Dateline_Meth_Lab_spook_Brute_forcing_NRC_Cyber_attack_MIT-LL_Plume="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/9ghAFSjywQsCnOyUzOYybD5VytI>
Subject: Re: [openpgp] [PATCH] Updated S2K
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2019 06:10:16 -0000

On Mon,  8 Apr 2019 22:14, ndurner=40googlemail.com@dmarc.ietf.org said:
>             3  Iterated and Salted S2K
> +           4  Argon2i

I do not think that adding a new S2K algorithm is useful:

The major use cases for OpenPGP are public key operations.  Here we do
not require an S2K algorithm at all.  The S2K is used for the
Transferable Secret Keys which should be a operations performed with
all due diligence: It is better to use a secure channel and best a
symmetric encryption based on a full entropy key.  Without a pairing
algorithm it is often better to write down the key and employ a courier
instead of relying on a weak passphrase and resource intensive KDF.  The
KDF would anyway be needed to be parametrized in a way that it can be
used for export or import on a low end machine.  This is a case by case
decision and we would be better off to not extend the Transferable
Secret Keys format with new methods but use the existing OpenPGP
symmetric key formats.

The other use for an S2K is symmetric encryption.  OpenPGP has only
basic support for this and does not provide any key management functions
for this.  Eventual we will need to add such functions to OpenPGP to
make symmetric encryption a first class citizen of OpenPGP.  Right now
the secure choice you have is to use a full-entropy passphrase and store
it in a separate symmetric key database.  In fact this is a real world
use case of gpg.  I doubt that a Argon2i is in any way helpful here
because it convoys the message that a low-entropy passphrase along with
a resource hungry KDF is an alternative for a secure passphrase.

> -Implementations SHOULD use salted or iterated-and-salted S2K
> -specifiers, as simple S2K specifiers are more vulnerable to dictionary
> -attacks.
> +Implementations MUST generate S2K specifiers that include salts
> +(either type 1, 3 or 4), as simple S2K specifiers are more vulnerable to

The SHOULD is there for a reason: Taking a full-entropy passphrase out
of a database does not require any salt.  It even demands the fastest
KDF we can provide.  This has been discussed in the past.

> +      <reference anchor='Argon2i'
> +     target='https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-04'>

This is not a useful reference:

   It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

v2.23.0 | Report a Bug | By Email