Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
Justus Winter <justus@sequoia-pgp.org> Wed, 27 July 2022 22:02 UTC
Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4769CC13CCFE for <openpgp@ietfa.amsl.com>; Wed, 27 Jul 2022 15:02:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NY7W1dvDtzXE for <openpgp@ietfa.amsl.com>; Wed, 27 Jul 2022 15:02:30 -0700 (PDT)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7B09C13CCCB for <openpgp@ietf.org>; Wed, 27 Jul 2022 15:01:06 -0700 (PDT)
Received: (qmail 28196 invoked by uid 500); 27 Jul 2022 22:01:03 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Bruce Walzer <bwalzer@59.ca>
Cc: openpgp@ietf.org
In-Reply-To: <YuFc+w02FiRQmHcg@watt.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox> <YuFc+w02FiRQmHcg@watt.59.ca>
Date: Thu, 28 Jul 2022 00:00:57 +0200
Message-ID: <87bktajjvq.fsf@thinkbox>
MIME-Version: 1.0
Content-Type: text/plain
X-Rspamd-Bar: /
X-Rspamd-Report: MIME_GOOD(-0.1) MID_RHS_NOT_FQDN(0.5) BAYES_HAM(-0.000681)
X-Rspamd-Score: 0.399318
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/2.8.28) with ESMTPSA; Thu, 28 Jul 2022 00:01:03 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/L66xxLHMuvDl3vc-JS8mgprLFo0>
Subject: Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 22:02:32 -0000
Bruce Walzer <bwalzer@59.ca> writes: > On Tue, Jul 26, 2022 at 06:51:25PM +0200, Justus Winter wrote: > >> > OpenPGP is a messaging standard and has to be such that >> > interoperability is possible between different systems. That is at >> > odds with normal Argon2 usage. >> >> If you are doing pre-shared key encryption, you have to communicate the >> key to the recipient, hence you do know in what context the data will be >> decrypted. > > How would this work in practice? Would we ask the user for the Argon2 parameters at encryption time? > > Enter passphrase: *********************** > Enter memory available for decryption (KiB): 2000 > Enter execution threads available for decryption: 8 > Enter passes for decryption: 3 How would S2K work in practice? Enter passphrase: *********************** Enter S2K type: Iterated and Salted Enter hash algorithm: RipeMD160 Enter octet count: 65000000 Error: Invalid octet count, must be a integer solution to (16 + m) * 2^(6 + e) Enter octet count: 65011712 >> Even if you don't, let's say you are archiving some data, >> experience tells us that available memory will grow, not shrink, so >> whatever memory you can supply now for the encryption, you can be sure >> that the future recipient will have enough to decrypt it. > > Memory here is the memory available to the task, not the overall > system. Restricting that memory is all the rage these days because of > containerization/virtualization and on mobile to overcome the effects > of misbehaving apps. If you don't have enough RAM, you cannot decrypt it (in reasonable time). This is not unlike the situation that you won't be able to decrypt it if you don't support the cipher, AEAD mode, or OpenPGP version (anymore). If your computation environment is unsuitable, you won't be able to decrypt it. That is no different from the status quo. >> > I think that more work needs to be done here to generate a valid >> > proposal. At this point it is not clear to me that such a proposal is >> > even possible. We might have to in the end consider other >> > approaches. As it is, we are basically dumping a complicated >> > technology into a long term standard with all the knobs exposed with >> > the hope that someone will come along later and find an effective use >> > for it. >> >> It is not complicated. It is not new. It is widely implemented, and >> the RFC gives recommendation for the parameters. > > Multiple, widely different recommendations. On the one hand you are worried that the recipient won't be able to decrypt it because of computational constraints, on the other hand you are unhappy that the algorithm can be tuned to the target system. Which one is it? And, it even gives you an algorithm to tune the parameters. You were quite fond of how GnuPG tunes the S2K octet count. You should be extra happy that the same can be done for Argon2. >> Note that for the >> legacy S2K mechanisms, even though there are multiple knobs, the RFC >> gives no guidance whatsoever. > > The only relevant knob is the count for "Iterated and Salted S2K" > which directly maps to CPU difficulty. One degree of freedom is much > easier to deal with than several. It is easier, but it denies recent advances in the kind of computation environments that are available to adversaries. Best, Justus
- [openpgp] The Argon2 proposal seems incomplete (D… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Werner Koch
- Re: [openpgp] The Argon2 proposal seems incomplet… Paul Wouters
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… brian m. carlson
- Re: [openpgp] The Argon2 proposal seems incomplet… Stephen Farrell
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- [openpgp] OpenPGP encryption block modes (Was: Th… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes (Was… Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes (Was… Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes (Was… Benjamin Kaduk
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Daniel Huigens
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes Aron Wussler
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Aron Wussler
- Re: [openpgp] OpenPGP encryption block modes (Was… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP encryption block modes (Was… Marcus Brinkmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes brian m. carlson
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes brian m. carlson
- Re: [openpgp] OpenPGP encryption block modes Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes (Was… Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Marcus Brinkmann
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Ángel
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Kahn Gillmor