IETF Logo Mail Archive

Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)

Bruce Walzer <bwalzer@59.ca> Thu, 28 July 2022 15:23 UTC

Return-Path: <bwalzer@59.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169EDC183593 for <openpgp@ietfa.amsl.com>; Thu, 28 Jul 2022 08:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RfcKsVf4zXPx for <openpgp@ietfa.amsl.com>; Thu, 28 Jul 2022 08:23:01 -0700 (PDT)
Received: from mail.59.ca (mail.59.ca [205.200.229.83]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF7BEC185718 for <openpgp@ietf.org>; Thu, 28 Jul 2022 08:22:52 -0700 (PDT)
Received: from [104.246.140.18] (helo=watt.59.ca) by mail.59.ca with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bwalzer@59.ca>) id 1oH5Ld-0001v6-01; Thu, 28 Jul 2022 10:22:49 -0500
Date: Thu, 28 Jul 2022 10:22:46 -0500
From: Bruce Walzer <bwalzer@59.ca>
To: Justus Winter <justus@sequoia-pgp.org>
Cc: openpgp@ietf.org
Message-ID: <YuKpxp0/Dy1DfC19@watt.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox> <YuFc+w02FiRQmHcg@watt.59.ca> <87bktajjvq.fsf@thinkbox>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87bktajjvq.fsf@thinkbox>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/GgfG5EfrpVtXfM8rr8oeQI6NDDk>
Subject: Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 15:23:03 -0000

On Thu, Jul 28, 2022 at 12:00:57AM +0200, Justus Winter wrote:
> Bruce Walzer <bwalzer@59.ca> writes:
> 
> > On Tue, Jul 26, 2022 at 06:51:25PM +0200, Justus Winter wrote:
> >
> >> > OpenPGP is a messaging standard and has to be such that
> >> > interoperability is possible between different systems. That is at
> >> > odds with normal Argon2 usage.
> >> 
> >> If you are doing pre-shared key encryption, you have to communicate the
> >> key to the recipient, hence you do know in what context the data will be
> >> decrypted.
> >
> > How would this work in practice? Would we ask the user for the Argon2 parameters at encryption time?
> >
> >     Enter passphrase: ***********************
> >     Enter memory available for decryption (KiB): 2000
> >     Enter execution threads available for decryption: 8
> >     Enter passes for decryption: 3
> 
> How would S2K work in practice?
> 
>      Enter passphrase: ***********************
>      Enter S2K type: Iterated and Salted
>      Enter hash algorithm: RipeMD160
>      Enter octet count: 65000000
>      Error: Invalid octet count, must be a integer solution to (16 + m) * 2^(6 + e)
>      Enter octet count: 65011712

We were discussing the Argon2 proposal and suddenly we are discussing
the existing standardized thing. I an arguing that the Argon2 proposal
as it exists should not be included in an OpenPGP draft. I an hoping
that argument can stand on its own. At any rate, it is very clear that
Argon2 is more complicated to set up than the standardized thing. So
if we are looking for an argument that the proposal is better than the
currently standardized thing then we will not find it here.

> >> Even if you don't, let's say you are archiving some data,
> >> experience tells us that available memory will grow, not shrink, so
> >> whatever memory you can supply now for the encryption, you can be sure
> >> that the future recipient will have enough to decrypt it.
> >
> > Memory here is the memory available to the task, not the overall
> > system. Restricting that memory is all the rage these days because of
> > containerization/virtualization and on mobile to overcome the effects
> > of misbehaving apps.
> 
> If you don't have enough RAM, you cannot decrypt it (in reasonable
> time).

If you don't have enough RAM, you cannot decrypt it at all. A typical
implementation would blow up with some sort of out of memory error.

> This is not unlike the situation that you won't be able to
> decrypt it if you don't support the cipher, AEAD mode, or OpenPGP
> version (anymore).

Which is why we should avoid such situations if possible by only
changing these things when absolutely necessary. Note that I strongly
oppose the addition of AEAD modes for this very reason (among
others). I don't know what you mean by "OpenPGP version".

[...]

Bruce

v2.23.0 | Report a Bug | By Email