Re: [openpgp] New fingerprint: to v5 or not to v5
"Daniel A. Nagy" <nagydani@epointsystem.org> Tue, 29 September 2015 14:26 UTC
Return-Path: <nagydani@epointsystem.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54D941B4205 for <openpgp@ietfa.amsl.com>; Tue, 29 Sep 2015 07:26:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hg5BWBFVXop8 for <openpgp@ietfa.amsl.com>; Tue, 29 Sep 2015 07:26:10 -0700 (PDT)
Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5135A1B4204 for <openpgp@ietf.org>; Tue, 29 Sep 2015 07:26:09 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so153259045wic.1 for <openpgp@ietf.org>; Tue, 29 Sep 2015 07:26:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=FDGNvGTd+Oj/ReeqFTdGSu/O5ONVzf144gKq6FKJl0A=; b=TdUiTole1Qig7wOqEo5r9Q9LG2ZNxJZCLUk3DvrYJsOGolFbzRdTutYTWFrTSsBI7J Nyhta/wNeIIxqoXO+apgd3Z6tEsewOTFk8IH1xHaKAu6x02lu0PHA38FB2jAQhC2Jpnd lstcuWD9d7oyJPSwATJmJ5OC9E/t0QcOwI5e1zEn7ISXj4gjcuGbf2eFYzDKyenSs83S 1USXO4SrN6LHAMbZ2R58M/er+lzxC9pNogEqeh/1IH+h8NNv8rp44X0pizVbf7TaqXSU nlLz4LA8c8uRS946Bl++9K7Hj037PzZeMbsrHOuB58ct8imgkFaQUz31Fsg05wvuLXb3 u3eQ==
X-Gm-Message-State: ALoCoQkRmU2TMyx6jq0GzW4J+pJ00sIAebquLre3MaMxkj8Gb9ElCeSAfQL6XWetaoL6kTzJUaoL
X-Received: by 10.180.211.243 with SMTP id nf19mr26455953wic.74.1443536767778; Tue, 29 Sep 2015 07:26:07 -0700 (PDT)
Received: from [192.168.120.120] (dhcp142.cs.elte.hu. [157.181.227.142]) by smtp.googlemail.com with ESMTPSA id z2sm24215910wij.1.2015.09.29.07.26.05 for <openpgp@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Sep 2015 07:26:06 -0700 (PDT)
To: openpgp@ietf.org
References: <878u84zy4r.fsf@vigenere.g10code.de> <55FD7CF0.8030200@iang.org> <87io742kz7.fsf@latte.josefsson.org> <560A982A.1040409@iang.org>
From: "Daniel A. Nagy" <nagydani@epointsystem.org>
X-Enigmail-Draft-Status: N1110
Message-ID: <560A9F7B.9080907@epointsystem.org>
Date: Tue, 29 Sep 2015 16:26:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <560A982A.1040409@iang.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/EhZ31ongvpmbvNgkmMnaM0OsW7U>
Subject: Re: [openpgp] New fingerprint: to v5 or not to v5
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2015 14:26:14 -0000
Hi, I fully support the "One True Cipher Suite" paradigm of Ian. At Ethereum (which is where I currently work), we have had quite a long explorative discussion about the choice of THE hash function, and we came out in favor of SHA3 (Keccak) for a multitude of good reasons most of which apply to OpenPGP as well. I believe that the most important documents from that debate are publicly available, but if necessary, I am willing to repeat the arguments in a nutshell. Furthermore, I also believe that if OpenPGP finally leaves the convoluted CFB variant behind and goes for stream ciphers, SHAKE has some very clear benefits over AES-CTR, chief among them that by using a closely related hash function and stream cipher, we follow the "keep all your eggs in one basket and watch that basket" principle; in other words, we present a smaller cross-section to potential attackers. Bests, Daniel On 2015-09-29 15:54, ianG wrote: > On 21/09/2015 05:13 am, Simon Josefsson wrote: >> ianG <iang@iang.org> writes: >> >>> Hi Werner, >>> >>> >>> On 17/09/2015 19:41 pm, Werner Koch wrote: >>>> I'd like to get opinions on one specific aspect of a new fingerprint >>>> format in 4880bis. >>>> >>>> In the past we bound the fingerprint format to the key packet version: >>>> v3 keys used MD5 and v4 keys SHA-1 fingerprints. This gained us the >>>> benefit of having a bijective connection between fingerprint and key. >>> >>> I'm hugely on that side. I'll always vote for that. I even staked my >>> rep on it :) >>> >>> http://iang.org/ssl/h1_the_one_true_cipher_suite.html >>> >>> Which came directly from the experience of hacking PGP & OpenPGP in >>> Perl/Java as part of Cryptix. The tears, the fears, the costs. >>> >>> So: the only choice for me is which hash you pick for v5. If you >>> want another one, start planning for v6. >> >> +1 >> >> I believe sub-negotiating in security protocol leads to obscure problems >> and makes security evaluation harder. If we can avoid that, and that >> appears to be the case, I'm all for it. >> >> Regarding which hash to use, SHA-256 is probably the simplest choice >> From a practicallity and consensus point of view. Are there any strong >> reasons to favor something else? >> >> What would be the relevant options be anyway? SHA-256, BLAKE2, >> SHA3-256, SHA-512, CubeHash? Would there be value in being able to use >> variable length SHAKE variants? > > > There are a few reasons to go to SHA3 or SHAKE, as far as I see it. > > 1. It leaps us ahead by about a decade in terms of cryptographic > experience. > > 2. It can do any size so we can use the same algorithm for all the > different uses, without getting into esoteric arguments about > truncation. Indeed this is intended -- although rare, the team that > made SHA3 felt our pain and improved our interface to the black box > known as the message digest. > > 3. This further leads to the possibility that if we get scared of the > "short" length, we can just lengthen the base array and let the software > work it out. Similar to PHB's concept, we could just pre-ordain some > applicable lengths that work for all purposes. > > 4. The same base algorithm can be used as a symmetric AE cipher. This > leads to the possibility of one algorithm family giving most of the > cryptographic needs (we'd need an asymmetric one too). The development > savings and the size savings are not to be sniffed at: leads to small > lightweight deployments e.g., on IoT and many more and maintainable > language implementations. > > 5. As a higher level meta-advantage, getting us away from the alphabet > soup approach to protocol design might clarify to us why it is that > there is an advantage in having more than one of everything around. > > > > > iang > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp
- [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 vedaal
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 Simon Josefsson
- Re: [openpgp] New fingerprint: to v5 or not to v5 Daniel Kahn Gillmor
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 Daniel A. Nagy
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: which hash algo (w… Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Watson Ladd
- Re: [openpgp] New fingerprint: to v5 or not to v5 Phillip Hallam-Baker
- Re: [openpgp] New fingerprint: which hash algo (w… Tom Ritter
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Mark D. Baushke
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: which hash algo (w… Simon Josefsson
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: which hash algo ianG
- Re: [openpgp] New fingerprint: which hash algo vedaal
- Re: [openpgp] New fingerprint: which hash algo Steve Pointer
- Re: [openpgp] New fingerprint: which hash algo Alessandro Barenghi
- Re: [openpgp] New fingerprint: which hash algo Robert J. Hansen
- Re: [openpgp] New fingerprint: to v5 or not to v5 Daniel Kahn Gillmor
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Jonathan McDowell
- Re: [openpgp] New fingerprint: to v5 or not to v5 Nicholas Cole
- Re: [openpgp] New fingerprint: to v5 or not to v5 Vincent Breitmoser
- Re: [openpgp] New fingerprint: which hash algo Daniel A. Nagy
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Watson Ladd
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: which hash algo Phillip Hallam-Baker
- Re: [openpgp] New fingerprint: which hash algo ianG
- Re: [openpgp] New fingerprint: which hash algo Daniel Kahn Gillmor
- Re: [openpgp] New fingerprint: which hash algo Phillip Hallam-Baker