IETF Logo Mail Archive

Re: [openpgp] Intent to deprecate: Insecure primitives

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 16 March 2015 04:05 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 256161A09CF for <openpgp@ietfa.amsl.com>; Sun, 15 Mar 2015 21:05:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6GMyH3YJfnI for <openpgp@ietfa.amsl.com>; Sun, 15 Mar 2015 21:05:16 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id CAE9B1A0199 for <openpgp@ietf.org>; Sun, 15 Mar 2015 21:05:15 -0700 (PDT)
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 2469EF984; Mon, 16 Mar 2015 00:05:12 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 16BBA202F8; Sun, 15 Mar 2015 21:05:07 -0700 (PDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: David Leon Gil <coruus@gmail.com>, "openpgp@ietf.org" <openpgp@ietf.org>, "dgil@yahoo-inc.com" <dgil@yahoo-inc.com>
In-Reply-To: <CAA7UWsWBoXpZ2q=Lv151R593v3u=SPNif39ySX_-8=fqMniiVg@mail.gmail.com>
References: <CAA7UWsWBoXpZ2q=Lv151R593v3u=SPNif39ySX_-8=fqMniiVg@mail.gmail.com>
User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Mon, 16 Mar 2015 00:05:07 -0400
Message-ID: <87sid5si30.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/IltfJ29IfcfkZb7QNUqSMy8cxUE>
Subject: Re: [openpgp] Intent to deprecate: Insecure primitives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 04:05:21 -0000

Hi David--

Thanks for this detailed list.  I agree with the intent to strip down
OpenPGP into a manageable and sensible profile, and i think the choices
you're documenting here are generally good.  A few clarifications and
questions below.

On Fri 2015-03-13 21:22:34 -0400, David Leon Gil wrote:
> 1. Yahoo and Google have both already deprecated and removed support
> for the following packet type specified for use with OpenPGPv4:
>
>     Tag 9 (symmetrically encrypted) packets
>
> These packets provide unauthenticated encryption and -- if supported
> -- can be used in a downgrade attack on senders who only use SEIPD
> packets. See https://github.com/coruus/cooperpair/tree/master/encrux
> for details.

Just to clarify: SEIPD packets are tag 18 packets, which have
"integrity-protection" included:

 https://tools.ietf.org/html/rfc4880#section-5.13

> Yahoo has deprecated, and intends to disable support for all uses, of
> the following primitives and packet types specified for use with
> OpenPGP v4:
>
> - Symmetric cipher algorithms: IDEA, TDES, CAST5, Blowfish, Twofish
> - Asymmetric algorithms, generally: RSA-ES, DSA.

Are you referring to Public Key Algorithms specifically here?  in
particular, this table:

 https://tools.ietf.org/html/rfc4880#section-9.1

If so, RSA-ES (pubkey algorithm 1) is very widely used, even for keys
that are only marked for one usage (signatures or encryption).  In fact,
i don't think there are many RSA keys labeled RSA-E (algo 2) and RSA-S
(algo 3) at all.  Why treat RSA-ES separately for deprecation?

On a relatively up-to-date keyring with a couple-thousand OpenPGP
certificates, i did this check (the first column is the count, the
second column is the algorithm ID):

0 foo@bar:~$ gpg2 --list-keys --with-colons | awk -F :  '/^[ps]ub:/{ print $4 }' | sort | uniq -c 
   2955 1
   1766 16
   1648 17
      2 18
      3 19
     19 20
      2 22
0 foo@bar:~$ 

> - Asymmetric algorithms, unless > 3070 bit key length: RSA-S, RSA-E, ELG-E.

How did you choose this cutoff?  I'm happy to see a high bar personally,
but this is likely to invalidate many 2048-bit keys that people have
been generating with (e.g.) the GnuPG defaults today.  Do you think that
GnuPG should change its defaults to the higher cutoff?

> - Compression algorithms: ZLIB. (It provides no benefits over DEFLATE,
> and is more malleable.)

Why keep DEFLATE at all?  quining seems to be possible with DEFLATE as
well.  what if we yanked all compression at this layer?

 (on openpgp quining due to compression, see the 2013-10-08 entry at
  http://mumble.net/~campbell/blag.txt)

> - Hash algorithms: MD5, SHA-1, RIPEMD160, SHA-2-224.

The OpenPGPv4 fingerprint uses SHA-1, in a way that doesn't appear to be
cryptographically risky; i'm assuming you're not removing v4
fingerprints entirely, just SHA-1 as a digest algorithm for message
signing.  right?

> 1. A published public key that is more than 1 year old. (This is
> mainly taken care of by requiring > 3070 bit RSA keys...)

Can you say more about this?  Is this about a specific cutoff in time,
or *anything* that is "more than 1 year old" at the present?  If it's
the latter, what effect do you expect this kind of regular key rollover
will have?  why is it warranted?

> 2. Signature by a public key which has ever signed a message or key
> using MD-5 or SHA-1.

How would you tell if this is the case?  Isn't ignoring MD5 and SHA1
signatures itself sufficient?

     --dkg

v2.23.0 | Report a Bug | By Email