[openpgp] Sec. Considerations MUST about S2K [was: Re: I-D Action: draft-ietf-openpgp-crypto-refresh-02.txt]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 27 February 2021 17:52 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7393E3A1093 for <openpgp@ietfa.amsl.com>; Sat, 27 Feb 2021 09:52:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=H+/vS4Lf; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=fbWAjn9/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5duMYOOiL4M for <openpgp@ietfa.amsl.com>; Sat, 27 Feb 2021 09:52:28 -0800 (PST)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1D8B3A1086 for <openpgp@ietf.org>; Sat, 27 Feb 2021 09:52:27 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1614448017; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=FUXGkIlQHXXbXG6Kf4RWrD03wfWgJCuapKF6UYWs0gk=; b=H+/vS4LfFU19pjPkBFxutULxMqSm7PirCrpEja8OG5F6McPjK4lHCUnEaaDaL53s9tlxc Gobejo66Z7OtQClBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1614448017; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=FUXGkIlQHXXbXG6Kf4RWrD03wfWgJCuapKF6UYWs0gk=; b=fbWAjn9/HML6c2LVO19UlvS1Ek5ZmoADV3nMHMwR1G01PwgHgiy/88ekeGcRMZbRo/pii 7/0dn8cTNnw7yeS2h1s/TE0AZQ1OvJ1NMufMFXU+1NrvTdHFGC0X9ivFByaGF1qRPmiWS8g n+PZcI95eRxGlWBFdK5wsWcFz6R8UJWSN87vWB5DZ4xfz1Hx33nc9MilXN9EOM38sUrVuKR j8sGtT2itk+OhBofxvEDkAy5pb2yqZVxLtotqUqXv5VZvrp1A/mJsT9EX2w6Cdruyak+jyg P+OBh62xPJ8Varm6U7YW9cGIDe1rD4JkA4bgn8UTIWLDQHpamstzZxRPv6VA==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 36D09F9A6; Sat, 27 Feb 2021 12:46:55 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 054AB2065F; Fri, 26 Feb 2021 23:52:24 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: "Neal H. Walfield" <neal@walfield.org>, Paul Wouters <paul@nohats.ca>
Cc: openpgp@ietf.org
In-Reply-To: <87h7lzavvc.wl-neal@walfield.org>
References: <7d8bdda1-4e5c-6c10-f3cd-1d191fad595c@nohats.ca> <87h7lzavvc.wl-neal@walfield.org>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 26 Feb 2021 23:52:23 -0500
Message-ID: <87mtvqcdtk.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/L0qcluEj0MhNcLpibtRJBTR4l3Q>
Subject: [openpgp] Sec. Considerations MUST about S2K [was: Re: I-D Action: draft-ietf-openpgp-crypto-refresh-02.txt]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Feb 2021 17:52:29 -0000

On Fri 2021-02-26 12:53:11 +0100, Neal H. Walfield wrote:
> Hi,
>
>> - Incorporated RFC 6637 (ECDSA and ECDH, using NIST curves)
>
>   # Security Considerations
>
>   A compliant application MUST only use iterated and salted S2K to
>   protect private keys, as defined in {{iterated-and-salted-s2k}},
>   "Iterated and Salted S2K".
>
> This precludes the use of private S2K algorithms (algos 100 to 110).
>
>   https://tools.ietf.org/html/rfc4880#section-3.7
>
> Would a MUST NOT use Simple S2K and MUST NOT use Salted S2K be better?

I'm not sure about this at all.  For example, consider a system that
knows that the string is high-entropy ("good key equivalent") -- should
they be prohibited from using Simple or Salted S2K?  Is this MUST really
an interoperability concern as §6 of RFC 2119 suggests?

Furthermore, if this guidance is applicable to private key storage and
S2K, shouldn't it show up in those sections as well, not just in the
Security Considerations section?

I've opened a ticket to track this:
https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/20

I welcome proposals for how to fix it.

        --dkg