[openpgp] Re: session key length with SEIPDv2
Daniel Huigens <d.huigens@protonmail.com> Mon, 23 September 2024 23:14 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D26FC151076 for <openpgp@ietfa.amsl.com>; Mon, 23 Sep 2024 16:14:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRhcGW2qIzwL for <openpgp@ietfa.amsl.com>; Mon, 23 Sep 2024 16:14:30 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A980C14F6E3 for <openpgp@ietf.org>; Mon, 23 Sep 2024 16:14:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1727133268; x=1727392468; bh=QF3IKkKmnL3mct2+8HFtz1S/+LUHE4WWICAaXaRdF68=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=GbILznfX7PZSoXiNKjlDfaNVGKEvCvjYHSGaR2JtLhCfJDMRB9ZxyV0Elv01WHDl9 f02E/r2MRRlxcIUrH+GRhbFwtoPpUNNRt1zwDHj+YprsIA+bTpYbixE+E3qRmi68Ap c+Ro2iJ8QtQzaTM2w3nRfalaz60LYtuJnSIWUlHAO+RAKEZCX762B/YKTIuhRVtfxT Ct5L2Lvm8PQJ8S2XZLxvRcpEs98qboG+UfRGbKZwo14jAUj5j5rwppR32OCll9s7bq UUelJEbx0W5+s6Mj4FsTkDv1RL+OKnxMyYaPdLYLb/72aZLVVJyMPvW6o3JiCPG5s4 6B34J9EBIhnrQ==
Date: Mon, 23 Sep 2024 23:14:24 +0000
To: Heiko Schäfer <heiko.schaefer@posteo.de>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <HvPoeoRKHGaIbIcV2cwKvnY8uVH6UqJ2PUAlBu1AFmyr6plq6RNUGqQNKZE9RllDHSdDsmuPmTJeP-BX93cALBiNITsIg40HMFPPcy3Z_dQ=@protonmail.com>
In-Reply-To: <93b25cce-e9f7-40a7-881f-b81e3033e7b7@posteo.de>
References: <93b25cce-e9f7-40a7-881f-b81e3033e7b7@posteo.de>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 6638ae817e7d9b96cf972f7f236474daa4cbe475
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 2D7FDBDK7223SRNZB3T7PTNMX3DDJBSA
X-Message-ID-Hash: 2D7FDBDK7223SRNZB3T7PTNMX3DDJBSA
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: session key length with SEIPDv2
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/H9JiUBBfErrcpjbSechCLARFvG8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi Heiko & all, As I wrote in the issue you linked, I agree that this is an unfortunate oversight. Though, I do think all of the security risk is on the encryption / producer's side - i.e. as long as producers choose an appropriate length, the ecosystem is safe, and the consumer can't protect against the producer choosing an insecure session key in general, anyway (e.g. the producer could also choose a session key of all zeros, or a random session key but publish it somewhere). Nevertheless, we should still have had guidance for the sender, at least. Since there was never any intention to change the situation here compared to SEIPDv1, I think filing an erratum to make the situation the same again could be reasonable; although it's a bit unfortunate to have to add a normative requirement in an erratum which may be missed - but then again I'd assume by default implementations would do the same as for SEIPDv1, anyway. If others (e.g. the chairs) agree that we should file an erratum for this, I would tend to keep it simple and just say in Section 5.1 and 5.3 that: The length of the session key MUST be the key size of the symmetric algorithm used in the encryption container. Then, the implications for the producer and consumer can be inferred from that, and that way it's closest to the situation for SEIPDv1 (and no real new guidance is introduced). If we do want more explicit guidance it might be better to add it elsewhere, instead. Btw, one case where some extra care is required for SEIPDv2 specfically is if you want to reuse the session key as referred to in Section 13.8. In that case, you have to additionally make sure that the algorithm matches the key size of the session key. But that doesn't seem too onerous, and Section 13.8 already lists a bunch of other caveats, anyway. And, thanks for raising this! Best, Daniel On Sunday, September 22nd, 2024 at 18:48, Heiko Schäfer wrote: > Hello list, > > I believe RFC 9580 doesn't explicitly specify the expected/correct > length of session keys for SEIPDv2, and think this is an oversight. > > With SEIPDv1, the session key length - by definition - must equal the > key length of the symmetric cipher. > However, the construction in SEIPDv2 technically works with session keys > of any length. > > I imagine that the intent in RFC 9580 is that the session key length in > SEIPDv2 must also equal the key length of the symmetric cipher. > However, with the RFC as it stands, receiving implementations don't have > clear guidance to reject overly short SEIPDv2 session keys (or > unreasonably large ones). > > This strikes me as an unfortunate risk for the ecosystem: An application > could produce SEIPDv2 encrypted messages that use one-byte long session > keys (and send them over risky transports). Multiple libraries would > currently cheerfully accept and decrypt such a message, giving users the > (questionable) sense that the message was strongly protected. > > Of course one could argue that senders should just do better. But I > don't find that a fully satisfying perspective. > After all, recipients can very easily reject such dubious messages, and > surface their fishiness. > > > If there is indeed no legitimate reason why the length of a SEIPDv2 > session key should ever differ from the symmetric cipher key length, > then I think we should clarify (with an erratum for RFC 9580?) that: > > - The session key length for a SEIPDv2 packet must be equal to the > symmetric cipher key length. > - Recipients must refuse to decrypt SEIPDv2 packets with session keys of > differing length. > > Thanks, > Heiko > > > PS: For reference, I have previously raised this point in > https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/146, > and this issue contains some discussion > > _______________________________________________ > openpgp mailing list -- openpgp@ietf.org > To unsubscribe send an email to openpgp-leave@ietf.org
- [openpgp] session key length with SEIPDv2 Heiko Schäfer
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Justus Winter
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor