Re: [openpgp] Followup on fingerprints
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 29 July 2015 14:31 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 716431A6FED for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 07:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RjyiQ-KKdD4Q for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 07:31:42 -0700 (PDT)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FD631A701D for <openpgp@ietf.org>; Wed, 29 Jul 2015 07:31:24 -0700 (PDT)
Received: by lbbyj8 with SMTP id yj8so8211175lbb.0 for <openpgp@ietf.org>; Wed, 29 Jul 2015 07:31:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=kVXS1kidGKLTUCGbczvDrzB/YuIHED5ePCwXf0ID9ic=; b=Uy4eXHwZqAnu+QQOGT1w1EnrBmu/SdDYObwRwZTWhj535FHVoXwnAyI7EAFPZRTOCn Oguca7nJI9t0pkrwX5aituEDlcZ3nwu8qdv5+0DwLI/uheGhOG223wtGFUDlcS1MBHqj jqxz50jAmX0a08SYDPyNh/V6Gw0WmMbxsmZ0XJ4m96gz2WGO/qXavWd2WCsM5+s0rUIS kvdDWzjhJFYt9v5zprp2VH0DsrkgZ4ZeWfbgUyBaAyOMaT/qpP7ReUCnSG6Pa0trLLLr +WW9OUjBhpb+5Q7OHSXNeKSJX2udYJAkKSB/pVpGRjfI9bPGbqDTyEiNf6GrRN+BPaH5 N9mQ==
MIME-Version: 1.0
X-Received: by 10.152.2.2 with SMTP id 2mr39842650laq.58.1438180282559; Wed, 29 Jul 2015 07:31:22 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Wed, 29 Jul 2015 07:31:22 -0700 (PDT)
In-Reply-To: <87twsn2wcz.fsf@vigenere.g10code.de>
References: <CAMm+LwgTcn8CY+Zk-f9gzXQtMJezG97T+kx2=C7PR5g7zFer_A@mail.gmail.com> <87twsn2wcz.fsf@vigenere.g10code.de>
Date: Wed, 29 Jul 2015 10:31:22 -0400
X-Google-Sender-Auth: xTPggAUifxij_pZ1UDKQYJcxcCo
Message-ID: <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, IETF OpenPGP <openpgp@ietf.org>
Content-Type: multipart/alternative; boundary="089e013c6470dd72d5051c047039"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/KMxAFFQ_iXh51srWonLjhSfpTfM>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 14:31:44 -0000
OK one thing from the meeting I forgot to mention, the security considerations have to address the use of a birthday attack by someone generating keys. If we are doing ECC, it is quite practical for someone to generate 2^50 keys and then pick the two that match in the first 100 bits. This can then be used for attacks, particularly if the keys are not enrolled in some sort of blockchain. The other bit I left out is the idea of compression. The idea here being that the person generating the key looks for a fingerprint that has 0s for the first n bits. Then the fingerprint starts with a version number that says 'the first 32 bits are 0s' or whatever. Yet another bit that should be mentioned in the security considerations is vanity fingerprints which are going to be more popular with all 26 Latin letters to choose from. And those are a bad idea for the reason given in the meeting. If my key starts off 'MERLI-Nxxxx' there is a temptation to only check those bits. Two important advantages of compression is that it provides an alternative to vanity fingerprints (shorter is better than fancy for most folk) and the work factor is not reduced by the birthday attack. Without compression, a 100 bit fingerprint is 20 characters and 150 bits is 30. The work factor for a birthday attack are 2^50 and 2^75 respectively With 32 bits of compression, the same strength against third party attack is achieved. with 14 and 24 characters. The work factor for a birthday attack are 2^66 and 2^81 respectively On Wed, Jul 29, 2015 at 4:37 AM, Werner Koch <wk@gnupg.org> wrote: > On Tue, 28 Jul 2015 16:52, phill@hallambaker.com said: > > > * Contact some usability types to ask about usability and changing up the > > block sizes. > > OpenPGP does not specify a user interface but the wire format. > Obviously we use the most compact format there which is the plain binary > format. The questions are > That is how we used to work in the 1990s. Since then we have had to do internationalization and such. As I started saying back then, the hardest part of a transaction to secure is the first/last two feet between the user's head and the screen. > - Do we need to explicity indicate the fingerprinting scheme (SHA-1 or > SHA-256, or whatever) in the binary represenation. > Yes, totally. I am suggesting we put code points in for the SHA-2-512 digest and the SHA-3-512 digest. The reason for going for the big digest even though we plan to truncate is that gives us maximal insurance against a compromise. These are the trust axioms of the system. > - Do we need truncation and how do we indicate a fingerprint scheme > then given that it can't be deduced from the length. > My preference is to just truncate and use the inferred length. That allows us to minimize the amount of data we need to put in front of the user without compromising security. Lets say that in 2020 Alice meets Bob and they exchange their fingerprints via a 150 bit QR code. Alice's smartphone goes to the mesh and pulls the corresponding profile which has Bob's key and full 512 bit fingerprint. The phone then stores the big fingerprint for Bob in her contacts directory. I cannot imagine wanting to rely on a contract signature without pulling the full record. > - Should we bind a certain fingerprint scheme to a public key packet > versions as we did in the past (v3 = MD5, v4 = SHA1, maybe v5 = > SHA256 with keyid being the leftmost octets). Or is it okay to > allow for multipe fingerprint schemes for the same key. This is the 'domain separation' issue that was mentioned in the meeting. I believe that we have to be able to revise the algorithm used to revise the fingerprint and the format of the data being formatted independently. As far as OpenPGP goes, the version indication inside the key packet should be sufficient for v5. The only reason the version indication would not be sufficient would be if a completely radical change to the format was being considered such as moving all the structures to YANG, CBOR, JSON or JSON-B. The proposal I have made is capable of dealing with that type of change with clean cryptographic separation of the content domains.
- [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Wyllys Ingersoll
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Gregory Maxwell
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Gregory Maxwell
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Peter Pentchev
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Nicholas Cole
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Nicholas Cole
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Bill Frantz
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Bill Frantz