IETF Logo Mail Archive

Re: [openpgp] Choices for AEAD modes [was: AEAD and Rome]

Justus Winter <justus@sequoia-pgp.org> Wed, 15 June 2022 09:27 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60908C14F720 for <openpgp@ietfa.amsl.com>; Wed, 15 Jun 2022 02:27:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p18ew6Mm7VWZ for <openpgp@ietfa.amsl.com>; Wed, 15 Jun 2022 02:27:52 -0700 (PDT)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76224C14F613 for <openpgp@ietf.org>; Wed, 15 Jun 2022 02:27:51 -0700 (PDT)
Received: (qmail 11361 invoked by uid 500); 15 Jun 2022 09:27:49 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Werner Koch <wk@gnupg.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: openpgp@ietf.org
In-Reply-To: <875yl2bajt.fsf@wheatstone.g10code.de>
References: <BB9D0AB9-CC8C-420E-8082-E9F64B09BF46@ribose.com> <7547a547-bb71-2bdd-f85e-91d46476bc6@nohats.ca> <54B2F360-C996-4A5D-BE3D-6EA405406C68@icloud.com> <YqPEw8OIlf0PG40T@camp.crustytoothpaste.net> <25c3a7b5-07ef-1521-1a14-43ef0c7b4043@cs.tcd.ie> <SY4PR01MB6251D365368552630ECCD720EEA99@SY4PR01MB6251.ausprd01.prod.outlook.com> <4dd0ad8b-9de7-15e6-a9ef-e0401acd69f8@sixdemonbag.org> <p_7pskU0MxbpIjGwmAUTMmFsJxjA8QRQCGDbCfrYQTSXocrlDUFDdNuHXChjBwy3RAc2eA_mRIyGFDWD6u5peNNL_F9I3yUYXAa5Khy5XqE=@protonmail.com> <87y1y0bj9r.fsf_-_@wheatstone.g10code.de> <mAnMlR7HNIXC0Mzquewg8bVEHE9cqSkScWwn7zNyD0GBWXzr6CFS858ENPS6fPzVV7TyIbkOhgiG75aVKSuw2EBeCc_SDYpaG5IIzmDGemQ=@protonmail.com> <87o7yuoluk.fsf@fifthhorseman.net> <875yl2bajt.fsf@wheatstone.g10code.de>
Date: Wed, 15 Jun 2022 11:27:48 +0200
Message-ID: <877d5ixomj.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: --
X-Rspamd-Report: MIME_GOOD(-0.2) SIGNED_PGP(-2) BAYES_HAM(-0.200606)
X-Rspamd-Score: -2.400606
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/2.8.28) with ESMTPSA; Wed, 15 Jun 2022 11:27:49 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/HybFMcSh1jn6kuSM0l4e9ZOmyMg>
Subject: Re: [openpgp] Choices for AEAD modes [was: AEAD and Rome]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2022 09:27:53 -0000

Werner Koch <wk@gnupg.org> writes:

> On Tue, 14 Jun 2022 19:40, Daniel Kahn Gillmor said:
>
>>  d) we can revert to rfc4880bis-10's AEAD packet framing and key
>>     schedule, with its table of AEAD modes, without guarantees of key
>>     separation, and without GCM, but switched to OCB as the MTI mode.
>
> Yes, this is what has been deployed worldwide for years in millions of
> installations (decryption wise) and is meanwhile in active use.

It is no-ones fault but your own that you chose to distribute software
that implements a standard that hasn't been finalized.  And now you are
trying to turn that into an argument to make OpenPGP less secure.

Also, as has been pointed out, "bis-style" AEAD can still be supported
to some extend.  So the crypto refresh is not making existing
ciphertexts unreadable.

> After consensus in the WG!

If you had all that consensus in the WG back then, maybe you should
have actually produced a revision to RFC4880?

You keep alluding to the past, to the 2000s.  That was over twenty years
ago.  Things change.

draft-ietf-openpgp-crypto-refresh-06 represents a broad consensus among
the community: members of most major OpenPGP implementations came
together and worked on the text in the design team.  Represented were
GnuPG, RNP, GopenPGP, OpenPGP.js, and Sequoia.

The AEAD scheme we are proposing isn't hard to implement.  In fact,
there are prototypes for GnuPG and Sequoia.

If you have concrete concerns, then by all means, do speak up.  However,
"this is different from what I've been doing" isn't a valid concern.

Justus

v2.23.0 | Report a Bug | By Email