Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
Bruce Walzer <bwalzer@59.ca> Thu, 28 July 2022 15:23 UTC
Return-Path: <bwalzer@59.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169EDC183593 for <openpgp@ietfa.amsl.com>; Thu, 28 Jul 2022 08:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RfcKsVf4zXPx for <openpgp@ietfa.amsl.com>; Thu, 28 Jul 2022 08:23:01 -0700 (PDT)
Received: from mail.59.ca (mail.59.ca [205.200.229.83]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF7BEC185718 for <openpgp@ietf.org>; Thu, 28 Jul 2022 08:22:52 -0700 (PDT)
Received: from [104.246.140.18] (helo=watt.59.ca) by mail.59.ca with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bwalzer@59.ca>) id 1oH5Ld-0001v6-01; Thu, 28 Jul 2022 10:22:49 -0500
Date: Thu, 28 Jul 2022 10:22:46 -0500
From: Bruce Walzer <bwalzer@59.ca>
To: Justus Winter <justus@sequoia-pgp.org>
Cc: openpgp@ietf.org
Message-ID: <YuKpxp0/Dy1DfC19@watt.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox> <YuFc+w02FiRQmHcg@watt.59.ca> <87bktajjvq.fsf@thinkbox>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87bktajjvq.fsf@thinkbox>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/GgfG5EfrpVtXfM8rr8oeQI6NDDk>
Subject: Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 15:23:03 -0000
On Thu, Jul 28, 2022 at 12:00:57AM +0200, Justus Winter wrote: > Bruce Walzer <bwalzer@59.ca> writes: > > > On Tue, Jul 26, 2022 at 06:51:25PM +0200, Justus Winter wrote: > > > >> > OpenPGP is a messaging standard and has to be such that > >> > interoperability is possible between different systems. That is at > >> > odds with normal Argon2 usage. > >> > >> If you are doing pre-shared key encryption, you have to communicate the > >> key to the recipient, hence you do know in what context the data will be > >> decrypted. > > > > How would this work in practice? Would we ask the user for the Argon2 parameters at encryption time? > > > > Enter passphrase: *********************** > > Enter memory available for decryption (KiB): 2000 > > Enter execution threads available for decryption: 8 > > Enter passes for decryption: 3 > > How would S2K work in practice? > > Enter passphrase: *********************** > Enter S2K type: Iterated and Salted > Enter hash algorithm: RipeMD160 > Enter octet count: 65000000 > Error: Invalid octet count, must be a integer solution to (16 + m) * 2^(6 + e) > Enter octet count: 65011712 We were discussing the Argon2 proposal and suddenly we are discussing the existing standardized thing. I an arguing that the Argon2 proposal as it exists should not be included in an OpenPGP draft. I an hoping that argument can stand on its own. At any rate, it is very clear that Argon2 is more complicated to set up than the standardized thing. So if we are looking for an argument that the proposal is better than the currently standardized thing then we will not find it here. > >> Even if you don't, let's say you are archiving some data, > >> experience tells us that available memory will grow, not shrink, so > >> whatever memory you can supply now for the encryption, you can be sure > >> that the future recipient will have enough to decrypt it. > > > > Memory here is the memory available to the task, not the overall > > system. Restricting that memory is all the rage these days because of > > containerization/virtualization and on mobile to overcome the effects > > of misbehaving apps. > > If you don't have enough RAM, you cannot decrypt it (in reasonable > time). If you don't have enough RAM, you cannot decrypt it at all. A typical implementation would blow up with some sort of out of memory error. > This is not unlike the situation that you won't be able to > decrypt it if you don't support the cipher, AEAD mode, or OpenPGP > version (anymore). Which is why we should avoid such situations if possible by only changing these things when absolutely necessary. Note that I strongly oppose the addition of AEAD modes for this very reason (among others). I don't know what you mean by "OpenPGP version". [...] Bruce
- [openpgp] The Argon2 proposal seems incomplete (D… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Werner Koch
- Re: [openpgp] The Argon2 proposal seems incomplet… Paul Wouters
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… brian m. carlson
- Re: [openpgp] The Argon2 proposal seems incomplet… Stephen Farrell
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- [openpgp] OpenPGP encryption block modes (Was: Th… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes (Was… Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes (Was… Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes (Was… Benjamin Kaduk
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Daniel Huigens
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes Aron Wussler
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Aron Wussler
- Re: [openpgp] OpenPGP encryption block modes (Was… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP encryption block modes (Was… Marcus Brinkmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes brian m. carlson
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes brian m. carlson
- Re: [openpgp] OpenPGP encryption block modes Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes (Was… Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Marcus Brinkmann
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Ángel
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Kahn Gillmor