IETF Logo Mail Archive

Re: [openpgp] Followup on fingerprints

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 29 July 2015 14:31 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 716431A6FED for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 07:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RjyiQ-KKdD4Q for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 07:31:42 -0700 (PDT)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FD631A701D for <openpgp@ietf.org>; Wed, 29 Jul 2015 07:31:24 -0700 (PDT)
Received: by lbbyj8 with SMTP id yj8so8211175lbb.0 for <openpgp@ietf.org>; Wed, 29 Jul 2015 07:31:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=kVXS1kidGKLTUCGbczvDrzB/YuIHED5ePCwXf0ID9ic=; b=Uy4eXHwZqAnu+QQOGT1w1EnrBmu/SdDYObwRwZTWhj535FHVoXwnAyI7EAFPZRTOCn Oguca7nJI9t0pkrwX5aituEDlcZ3nwu8qdv5+0DwLI/uheGhOG223wtGFUDlcS1MBHqj jqxz50jAmX0a08SYDPyNh/V6Gw0WmMbxsmZ0XJ4m96gz2WGO/qXavWd2WCsM5+s0rUIS kvdDWzjhJFYt9v5zprp2VH0DsrkgZ4ZeWfbgUyBaAyOMaT/qpP7ReUCnSG6Pa0trLLLr +WW9OUjBhpb+5Q7OHSXNeKSJX2udYJAkKSB/pVpGRjfI9bPGbqDTyEiNf6GrRN+BPaH5 N9mQ==
MIME-Version: 1.0
X-Received: by 10.152.2.2 with SMTP id 2mr39842650laq.58.1438180282559; Wed, 29 Jul 2015 07:31:22 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Wed, 29 Jul 2015 07:31:22 -0700 (PDT)
In-Reply-To: <87twsn2wcz.fsf@vigenere.g10code.de>
References: <CAMm+LwgTcn8CY+Zk-f9gzXQtMJezG97T+kx2=C7PR5g7zFer_A@mail.gmail.com> <87twsn2wcz.fsf@vigenere.g10code.de>
Date: Wed, 29 Jul 2015 10:31:22 -0400
X-Google-Sender-Auth: xTPggAUifxij_pZ1UDKQYJcxcCo
Message-ID: <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, IETF OpenPGP <openpgp@ietf.org>
Content-Type: multipart/alternative; boundary="089e013c6470dd72d5051c047039"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/KMxAFFQ_iXh51srWonLjhSfpTfM>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 14:31:44 -0000

OK one thing from the meeting I forgot to mention, the security
considerations have to address the use of a birthday attack by someone
generating keys.

If we are doing ECC, it is quite practical for someone to generate 2^50
keys and then pick the two that match in the first 100 bits. This can then
be used for attacks, particularly if the keys are not enrolled in some sort
of blockchain.

The other bit I left out is the idea of compression. The idea here being
that the person generating the key looks for a fingerprint that has 0s for
the first n bits. Then the fingerprint starts with a version number that
says 'the first 32 bits are 0s' or whatever.

Yet another bit that should be mentioned in the security considerations is
vanity fingerprints which are going to be more popular with all 26 Latin
letters to choose from. And those are a bad idea for the reason given in
the meeting. If my key starts off 'MERLI-Nxxxx' there is a temptation to
only check those bits.

Two important advantages of compression is that it provides an alternative
to vanity fingerprints (shorter is better than fancy for most folk) and the
work factor is not reduced by the birthday attack.


Without compression, a 100 bit fingerprint is 20 characters and 150 bits is
30. The work factor for a birthday attack are 2^50 and 2^75 respectively

With 32 bits of compression, the same strength against third party attack
is achieved. with 14 and 24 characters. The work factor for a birthday
attack are 2^66 and 2^81 respectively


On Wed, Jul 29, 2015 at 4:37 AM, Werner Koch <wk@gnupg.org> wrote:

> On Tue, 28 Jul 2015 16:52, phill@hallambaker.com said:
>
> > * Contact some usability types to ask about usability and changing up the
> > block sizes.
>
> OpenPGP does not specify a user interface but the wire format.
> Obviously we use the most compact format there which is the plain binary
> format.  The questions are
>

That is how we used to work in the 1990s. Since then we have had to do
internationalization and such.

As I started saying back then, the hardest part of a transaction to secure
is the first/last two feet between the user's head and the screen.



>   - Do we need to explicity indicate the fingerprinting scheme (SHA-1 or
>     SHA-256, or whatever) in the binary represenation.
>

Yes, totally. I am suggesting we put code points in for the SHA-2-512
digest and the SHA-3-512 digest.

The reason for going for the big digest even though we plan to truncate is
that gives us maximal insurance against a compromise. These are the trust
axioms of the system.



>   - Do we need truncation and how do we indicate a fingerprint scheme
>     then given that it can't be deduced from the length.
>

My preference is to just truncate and use the inferred length. That allows
us to minimize the amount of data we need to put in front of the user
without compromising security.

Lets say that in 2020 Alice meets Bob and they exchange their fingerprints
via a 150 bit QR code. Alice's smartphone goes to the mesh and pulls the
corresponding profile which has Bob's key and full 512 bit fingerprint. The
phone then stores the big fingerprint for Bob in her contacts directory.

I cannot imagine wanting to rely on a contract signature without pulling
the full record.



>   - Should we bind a certain fingerprint scheme to a public key packet
>     versions as we did in the past (v3 = MD5, v4 = SHA1, maybe v5 =
>     SHA256 with keyid being the leftmost octets).  Or is it okay to
>     allow for multipe fingerprint schemes for the same key.


This is the 'domain separation' issue that was mentioned in the meeting.

I believe that we have to be able to revise the algorithm used to revise
the fingerprint and the format of the data being formatted independently.

As far as OpenPGP goes, the version indication inside the key packet should
be sufficient for v5. The only reason the version indication would not be
sufficient would be if a completely radical change to the format was being
considered such as moving all the structures to YANG, CBOR, JSON or JSON-B.

The proposal I have made is capable of dealing with that type of change
with clean cryptographic separation of the content domains.

v2.23.0 | Report a Bug | By Email