Re: [openpgp] OpenPGP SEIP downgrade attack

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 08 October 2015 14:59 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC6C1A21AA for <openpgp@ietfa.amsl.com>; Thu, 8 Oct 2015 07:59:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YT9tTWQEX-4f for <openpgp@ietfa.amsl.com>; Thu, 8 Oct 2015 07:59:18 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6079D1A1AE3 for <openpgp@ietf.org>; Thu, 8 Oct 2015 07:59:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1444316358; x=1475852358; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=XyGQB8tZ1D+OMwTCHP6/v/42GDr8afh/FTMbU2UgYes=; b=xqKh8NO2fpxA/F/PbQT5eFPWvcWfeRh2qGOxX8G3zVlO575vTxvleLAa cTpbtPA3YHZIueDhbyiEDwBvynKrzHX97ITyq1IyYTuRjsftIM5g6pRql l3x4p6kovG/Eb+MyJ6HkKptChmE9TsnOVkz671RK3GfuR9+lzK8UMQiVY 9mfIApx/iWwptx9acHsc/4nvHQMz3ys1KJJiSWENVTpmSUgQaz75q9FKF J3nkVAH3b5gZtTcREw/9hzEQ/ibKq0V+6hrzxXVrdtAOY2F+o/FTqqeBa M3TgIKi1Bgr+Uqpq6V+s3VR1W+w/G1cVKHJ/fTqYhEwKZ+f/SALRoEhND Q==;
X-IronPort-AV: E=Sophos;i="5.17,655,1437393600"; d="scan'208";a="47360665"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 09 Oct 2015 03:59:16 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.51]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0174.001; Fri, 9 Oct 2015 03:59:16 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Werner Koch <wk@gnupg.org>
Thread-Topic: [openpgp] OpenPGP SEIP downgrade attack
Thread-Index: AQHQ/3dAIgzGDRicekamqnyxIGnZTZ5gcUt1gAFDQuw=
Date: Thu, 8 Oct 2015 14:59:15 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B2D532@uxcn10-5.UoA.auckland.ac.nz>
References: <56128436.40607@assured.se> <87y4fh4210.fsf@vigenere.g10code.de> <9A043F3CF02CD34C8E74AC1594475C73F4B28383@uxcn10-5.UoA.auckland.ac.nz> <87k2r04hak.fsf@vigenere.g10code.de> <9A043F3CF02CD34C8E74AC1594475C73F4B2C5B4@uxcn10-5.UoA.auckland.ac.nz>, <87si5m1ncm.fsf@vigenere.g10code.de>
In-Reply-To: <87si5m1ncm.fsf@vigenere.g10code.de>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/CFq05d28gRIfAYkv-eko7gKcPZc>
Cc: "cfrg@mail.ietf.org" <cfrg@mail.ietf.org>, Jonas Magazinius <jonas.magazinius@assured.se>, "cryptography@metzdowd.com" <cryptography@metzdowd.com>, "openpgp@ietf.org" <openpgp@ietf.org>
Subject: Re: [openpgp] OpenPGP SEIP downgrade attack
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 14:59:23 -0000

Werner Koch <wk@gnupg.org>; writes:

>When taking up these trouble why got for a slow method whilst faster methods
>are available.

AES-GCM is only fast on CPUs with dedicated hardware support for it (PCLMULQDQ
on x86), it's actually quite slow in pure software (on x86 the slowdown is
about an order of magnitude).  The figures are really all over the place
depending on what system it's running on, so it's a bit hard to generalise any
statement about it.

(It's also not clear whether someone encrypting a 10k email message with PGP
is going to notice it being processed at 100MB/s or 150MB/s).

>OCB works with all 128 bit block length ciphers and is faster than GCM.

It's also a lot more patented than GCM.

(I actually really like OCB and don't like GCM much, but the patent situation
makes it pretty problematic).

Peter.