[openpgp] session key length with SEIPDv2
Heiko Schäfer <heiko.schaefer@posteo.de> Mon, 23 September 2024 01:48 UTC
Return-Path: <heiko.schaefer@posteo.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8422C16940F for <openpgp@ietfa.amsl.com>; Sun, 22 Sep 2024 18:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xisJP8qwUW6I for <openpgp@ietfa.amsl.com>; Sun, 22 Sep 2024 18:48:09 -0700 (PDT)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48521C14CE22 for <openpgp@ietf.org>; Sun, 22 Sep 2024 18:48:07 -0700 (PDT)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 088DC240101 for <openpgp@ietf.org>; Mon, 23 Sep 2024 03:48:05 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1727056086; bh=Gv/sKycn/eqBZxDGZdRF2sZSyhc0KZ42md5n4nTIlRU=; h=Message-ID:Date:MIME-Version:To:From:Subject:Content-Type: Content-Transfer-Encoding:From; b=c6GRt2EQUM2NGScjsDDnx0ZO97gtK/RVWsZO5q46nKjGTEjGkMh2GNuu1wremNWal C2gyjZzQx5gimmHmY8SENgNnXfa38ZMeiG0WfVcNTOtdDNpo/hiyO/PrN+JqhFNcP+ 3g453j05/GtCEzpXXQ2jJ2DT85r2mZjBBbChi0WpgT9bSr8yGpC5qToIA0WHp4Nxbr 8gAfchxJ6A8hx+p9vyecugAyTIQooDHKaTCJgQqb8ET1pHVMKkHRPIukBhhNry0vvI GBQeIZFAS7MoEFhZVM3838X5XxX3hHgt1p9TGqGZ49vm3bz1lJvuGQ5KsnFrnGrvXm YL4l4LeL0wYAg==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XBm914Rqwz6tym for <openpgp@ietf.org>; Mon, 23 Sep 2024 03:48:05 +0200 (CEST)
Received: from services.foundation.hs (services.foundation.hs [192.168.21.4]) by mail.foundation.hs (Postfix) with ESMTP id 3AA91705C5 for <openpgp@ietf.org>; Mon, 23 Sep 2024 03:48:05 +0200 (CEST)
Message-ID: <93b25cce-e9f7-40a7-881f-b81e3033e7b7@posteo.de>
Date: Mon, 23 Sep 2024 01:48:04 +0000
MIME-Version: 1.0
To: openpgp@ietf.org
Content-Language: en-US
From: Heiko Schäfer <heiko.schaefer@posteo.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: MBPN2ZOOBNSIRAF5FTWMIILHBNLQNMG5
X-Message-ID-Hash: MBPN2ZOOBNSIRAF5FTWMIILHBNLQNMG5
X-MailFrom: heiko.schaefer@posteo.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] session key length with SEIPDv2
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Mw3KOReRH7HG8fMTN42C2QSgknw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hello list, I believe RFC 9580 doesn't explicitly specify the expected/correct length of session keys for SEIPDv2, and think this is an oversight. With SEIPDv1, the session key length - by definition - must equal the key length of the symmetric cipher. However, the construction in SEIPDv2 technically works with session keys of any length. I imagine that the intent in RFC 9580 is that the session key length in SEIPDv2 must also equal the key length of the symmetric cipher. However, with the RFC as it stands, receiving implementations don't have clear guidance to reject overly short SEIPDv2 session keys (or unreasonably large ones). This strikes me as an unfortunate risk for the ecosystem: An application could produce SEIPDv2 encrypted messages that use one-byte long session keys (and send them over risky transports). Multiple libraries would currently cheerfully accept and decrypt such a message, giving users the (questionable) sense that the message was strongly protected. Of course one could argue that senders should just do better. But I don't find that a fully satisfying perspective. After all, recipients can very easily reject such dubious messages, and surface their fishiness. If there is indeed no legitimate reason why the length of a SEIPDv2 session key should ever differ from the symmetric cipher key length, then I think we should clarify (with an erratum for RFC 9580?) that: - The session key length for a SEIPDv2 packet must be equal to the symmetric cipher key length. - Recipients must refuse to decrypt SEIPDv2 packets with session keys of differing length. Thanks, Heiko PS: For reference, I have previously raised this point in https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/146, and this issue contains some discussion
- [openpgp] session key length with SEIPDv2 Heiko Schäfer
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Justus Winter
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor