Re: [openpgp] Disadvantages of Salted Signatures

"Neal H. Walfield" <neal@walfield.org> Mon, 11 December 2023 09:32 UTC

Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16479C14F5FD for <openpgp@ietfa.amsl.com>; Mon, 11 Dec 2023 01:32:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOkRhE-PXQCy for <openpgp@ietfa.amsl.com>; Mon, 11 Dec 2023 01:32:53 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [202.61.250.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49417C14F5E2 for <openpgp@ietf.org>; Mon, 11 Dec 2023 01:32:53 -0800 (PST)
Received: from p5dceff78.dip0.t-ipconnect.de ([93.206.255.120] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1rCceh-0001p1-G9; Mon, 11 Dec 2023 10:32:51 +0100
Received: from grit.huenfield.org ([192.168.20.188] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <neal@walfield.org>) id 1rCceg-000m17-NT; Mon, 11 Dec 2023 10:32:51 +0100
Date: Mon, 11 Dec 2023 10:32:50 +0100
Message-ID: <87il55rsn1.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: Stephan Verbücheln <verbuecheln@posteo.de>
Cc: openpgp@ietf.org
In-Reply-To: <a38abd9349683c1c0762daa8b203bc8578fc4853.camel@posteo.de>
References: <077dd27cef0c7d3968967fc4c3a880081b8bd9dd.camel@posteo.de> <8b5f251f-ae52-4937-9500-ddedb9fbef73@cs.tcd.ie> <709995498037ba59fb1a14d75ffa819702566d83.camel@posteo.de> <df7f0b41-f998-4f0e-b07e-67231031e54b@cs.tcd.ie> <a38abd9349683c1c0762daa8b203bc8578fc4853.camel@posteo.de>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-SA-Exim-Connect-IP: 192.168.20.188
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/KG-pITMvEw7hbQ8iC46cwBy14XE>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2023 09:32:57 -0000

On Mon, 11 Dec 2023 08:37:21 +0100,
Stephan Verbücheln wrote:
> On Sun, 2023-12-10 at 13:58 +0000, Stephen Farrell wrote:
> > All that said, in that discussion, we should bear in mind that
> > the liklihood that we change or re-open crypto-refresh is small,
> > and that should be the case, unless we find some show-stopper
> > issue. FWIW, I don't think this is one such.
> 
> At least 13.2 is so erroneous that it has potential to damage the
> reputation of the standard. The references do not support either of the
> claims. One could also ask: Does such a deep dive into cryptography
> even belong there?
> 
> The signature format itself looks fine, but it adds (yet) unjustified
> bloat and complexity, and the disadvantages have not been discussed. So
> should it be really mandatory?
> 
> This change appears to be proposed by one party with one particular use
> case: Implementing PGP in JavaScript in the browser.

The Sequoia team discussed adding a salt to signatures to mitigate
these types of attacks when we heard about Shambles in 2020.  The
discussion is here:

https://gitlab.com/sequoia-pgp/sequoia/-/issues/597

The commit where we add the salt is here:

  https://gitlab.com/sequoia-pgp/sequoia/-/commit/4a971af5abe70d41485df141a3d9fa97eaab5f1c

(Note: the crypto-refresh places the salt earlier in the data that is
hashed, which is better than our solution.)

A cryptographer agreed with our analysis, and we observed that OpenSSH
does the same thing for the same reason:

  The nonce field is a CA-provided random bitstring of arbitrary
  length (but typically 16 or 32 bytes) included to make attacks that
  depend on inducing collisions in the signature hash infeasible.

  https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys#L151

Neal