Re: [openpgp] Disadvantages of Salted Signatures

Nickolay Olshevsky <o.nickolay@gmail.com> Mon, 11 December 2023 16:56 UTC

Return-Path: <o.nickolay@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C98ECC14F747 for <openpgp@ietfa.amsl.com>; Mon, 11 Dec 2023 08:56:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7DHsQgi0E0k9 for <openpgp@ietfa.amsl.com>; Mon, 11 Dec 2023 08:56:35 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 806B9C14CF1B for <openpgp@ietf.org>; Mon, 11 Dec 2023 08:56:35 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-54c64316a22so6366990a12.0 for <openpgp@ietf.org>; Mon, 11 Dec 2023 08:56:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702313793; x=1702918593; darn=ietf.org; h=in-reply-to:autocrypt:from:references:to:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=SiSuFvy/fTX6Zbxz3AFvx553PrUema0A2w33rFmcIFU=; b=Pqs7/ccKhGAxsTdewJNRC9Rhq+lfRLgV3KoEDsJ3QRGHPFoSe4EFiEOhIvhUdPwT2j yxg2Risuwtm1bjsdzUVAYzlperZWY6jZ2WGuA1SGZ8W6Y8tjunhGCUll0WEcEPJ34djA zJHVkUamgQm6Cqf/n7BtQS93V15QnbK5/p2hsobTJ+XXQBnMUMSQLMGCPl1/CuO/Wroe hqBTlcpTzuNXejYZFggVcTmcAudmk6ii/5ghAOvKg7nm3bT7D6na4pLKVhsCzc1YazFF E8m30M+aALvq7YVEKVKtmyce/XvX7GuO/0BxP7KlDRToWuajNAykq8dQPpT6o2dZ2m0t nxHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702313793; x=1702918593; h=in-reply-to:autocrypt:from:references:to:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=SiSuFvy/fTX6Zbxz3AFvx553PrUema0A2w33rFmcIFU=; b=aORcW1xWTIJLHZpp9w50KeGawloAGf9AniYhNr6B8wYfCnVQMZnsBMUZTBvFBX/l4Y eWHcMQ9JPFsRSWebJWfiih9Wtu4IxXT6DVKWS+RngVB68QD3tgNSdAddr9sooIy2bQE+ S/hZ4iK1+pFWr4P9GdIYLDEOiTw/gfjJ9gS6+7+I03Wayp/jdFN3/Iu4kAcSUXbQK0ut SJvHx3IH8qMtYZyZcLhpJNSlzibrNnAJc7gKZUHBWFvpcIXFqhXYdMXL9hRrnL7PxGeO esWday2g5c/Eja07+Uj4ABXMQopfPyRKvlSBDhrmShuOXYKsRIH8DLWUCm+tl7XvLbmq xyQQ==
X-Gm-Message-State: AOJu0YwXxbWvJFThE7o63vW4BeJqGukiHPFqN31S8e0VgEI+NkUwTcHq LsIpVwyVeK23sh6ZcNoQA7pS2q3kwUE=
X-Google-Smtp-Source: AGHT+IE1cnb71st8kbKOya24xSzE0ZXDb7FwMmzn3IRf+QJinweAHRiWgD5cOxYjKBn1Fepwmm9wvQ==
X-Received: by 2002:a17:906:18d:b0:a1f:b541:6252 with SMTP id 13-20020a170906018d00b00a1fb5416252mr514560ejb.92.1702313793179; Mon, 11 Dec 2023 08:56:33 -0800 (PST)
Received: from [192.168.88.164] ([46.229.60.139]) by smtp.gmail.com with ESMTPSA id uy9-20020a170907d10900b00a1f853c8a09sm3447704ejc.115.2023.12.11.08.56.32 for <openpgp@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 Dec 2023 08:56:32 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------GChfFbWXkOzDNq3R1eymKusS"
Message-ID: <db25c5b9-0d08-4b45-85c9-49b8277d80ec@gmail.com>
Date: Mon, 11 Dec 2023 18:56:31 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
To: openpgp@ietf.org
References: <077dd27cef0c7d3968967fc4c3a880081b8bd9dd.camel@posteo.de> <87jzplrtfy.wl-neal@walfield.org> <87bd4895386b3a0cd0c62429b0b85df6f1860da2.camel@posteo.de>
From: Nickolay Olshevsky <o.nickolay@gmail.com>
Autocrypt: addr=o.nickolay@gmail.com; keydata= xm8EXrEsexMFK4EEACIDAwQqzVDrNPoyfcq4glxNmTEa0OCh1pmY/CcnrJb/bd9Cqi5eCOjF rTHjdY7SMXH5KQlrcQJwjiuyecr8S+GzUnKbE7fYjrg0YjhXr9SzA0xQ7rN1EanYl0lK6m21 zCjitOjNKU5pY2tvbGF5IE9sc2hldnNreSA8by5uaWNrb2xheUBnbWFpbC5jb20+wrkEExMJ AEECGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGQEWIQRGfUTJeA+FOnu7NUq4LmkIQ+XE IwUCYrGmagUJB8Lg7wAKCRC4LmkIQ+XEI0iYAX0Ys7QcBnSCRI4OXE3AIBXafwO7oV+0NDxL eokgj1Ij2A9AbAVS4fo1eH0AMhg7ZioBgJDBYDIFljrGDWnmPZ8QSqfr79BPwInndqPbrrxH 0NiqzttaxqxXQkhoGfRUIhQcM85zBF6xLHsSBSuBBAAiAwMEHRW8a30kMl2MaIulUJfAM1wM AmmUnSRIcbR2dbjzqz4FNl6kLlvy0zXdtW6fiiWtX9LKUuazQPV9q4tSkkSlPOzKVsx3eE4X 3HjUD6ZDN13dd3Gd72km/4gV7LolU7g5AwEJCMKeBBgTCQAmAhsMFiEERn1EyXgPhTp7uzVK uC5pCEPlxCMFAmKxposFCQfC4RAACgkQuC5pCEPlxCOonQGAzzZukeMuAgLmkP9lUvH0JAfQ ENuwDmGF5kHAhAsYYMeQarg1CtOsosCjYusjLZZYAYDUOpI5VGATb3JTm38FdjUWb8QwlEym r1YeKy3FePmtNF2jXmIcIwqwhj1p39xdFGc=
In-Reply-To: <87bd4895386b3a0cd0c62429b0b85df6f1860da2.camel@posteo.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/L8keJfAixhmV4rUjnJB-yNY2zO0>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2023 16:56:39 -0000

Hi Stephan,

As far as I  remember there were proposal of adding some 'salt' 
signature subpacket, which would serve exactly same purpose.

This would work in both cases: if implementation needs salt, it would 
add it as subpacket, or do not add otherwise.

 From the implementors point of view this would also be more 
interoperable with older implementations / RFC 4880.


On 11.12.2023 18:43, Stephan Verbücheln wrote:
> Now I agree that this is a useful measure in scenarios where a victim
> signs data for the attacker, such as the PGP “certify” operation. It
> just does not prevent the signer himself from creating collisions. So
> with that, my objections are reduced a lot.
>
> I believe, the following two questions are still worth debating because
> the mandatory salt does not come at zero cost.
>
> Is it practically relevant?
> Hash algorithms which are vulnerable to collisions should not be used
> anyway. SHA-1 was deprecated in 2011, a long time before that attack
> was demonstrated.
>
> Does it make sense to have it mandatory or default?
> In most cases, PGP users sign their own data (e-mails, software
> tarballs etc.). It could nevertheless be default for “certify”
> operations.
>
> Regards
> Stephan

-- 
   Best regards,
   Nickolay Olshevsky
   o.nickolay@gmail.com