[openpgp] session key length with SEIPDv2

Heiko Schäfer <heiko.schaefer@posteo.de> Mon, 23 September 2024 01:48 UTC

Return-Path: <heiko.schaefer@posteo.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8422C16940F for <openpgp@ietfa.amsl.com>; Sun, 22 Sep 2024 18:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xisJP8qwUW6I for <openpgp@ietfa.amsl.com>; Sun, 22 Sep 2024 18:48:09 -0700 (PDT)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48521C14CE22 for <openpgp@ietf.org>; Sun, 22 Sep 2024 18:48:07 -0700 (PDT)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 088DC240101 for <openpgp@ietf.org>; Mon, 23 Sep 2024 03:48:05 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1727056086; bh=Gv/sKycn/eqBZxDGZdRF2sZSyhc0KZ42md5n4nTIlRU=; h=Message-ID:Date:MIME-Version:To:From:Subject:Content-Type: Content-Transfer-Encoding:From; b=c6GRt2EQUM2NGScjsDDnx0ZO97gtK/RVWsZO5q46nKjGTEjGkMh2GNuu1wremNWal C2gyjZzQx5gimmHmY8SENgNnXfa38ZMeiG0WfVcNTOtdDNpo/hiyO/PrN+JqhFNcP+ 3g453j05/GtCEzpXXQ2jJ2DT85r2mZjBBbChi0WpgT9bSr8yGpC5qToIA0WHp4Nxbr 8gAfchxJ6A8hx+p9vyecugAyTIQooDHKaTCJgQqb8ET1pHVMKkHRPIukBhhNry0vvI GBQeIZFAS7MoEFhZVM3838X5XxX3hHgt1p9TGqGZ49vm3bz1lJvuGQ5KsnFrnGrvXm YL4l4LeL0wYAg==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XBm914Rqwz6tym for <openpgp@ietf.org>; Mon, 23 Sep 2024 03:48:05 +0200 (CEST)
Received: from services.foundation.hs (services.foundation.hs [192.168.21.4]) by mail.foundation.hs (Postfix) with ESMTP id 3AA91705C5 for <openpgp@ietf.org>; Mon, 23 Sep 2024 03:48:05 +0200 (CEST)
Message-ID: <93b25cce-e9f7-40a7-881f-b81e3033e7b7@posteo.de>
Date: Mon, 23 Sep 2024 01:48:04 +0000
MIME-Version: 1.0
To: openpgp@ietf.org
Content-Language: en-US
From: Heiko Schäfer <heiko.schaefer@posteo.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: MBPN2ZOOBNSIRAF5FTWMIILHBNLQNMG5
X-Message-ID-Hash: MBPN2ZOOBNSIRAF5FTWMIILHBNLQNMG5
X-MailFrom: heiko.schaefer@posteo.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] session key length with SEIPDv2
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Mw3KOReRH7HG8fMTN42C2QSgknw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hello list,

I believe RFC 9580 doesn't explicitly specify the expected/correct 
length of session keys for SEIPDv2, and think this is an oversight.

With SEIPDv1, the session key length - by definition - must equal the 
key length of the symmetric cipher.
However, the construction in SEIPDv2 technically works with session keys 
of any length.

I imagine that the intent in RFC 9580 is that the session key length in 
SEIPDv2 must also equal the key length of the symmetric cipher.
However, with the RFC as it stands, receiving implementations don't have 
clear guidance to reject overly short SEIPDv2 session keys (or 
unreasonably large ones).

This strikes me as an unfortunate risk for the ecosystem: An application 
could produce SEIPDv2 encrypted messages that use one-byte long session 
keys (and send them over risky transports). Multiple libraries would 
currently cheerfully accept and decrypt such a message, giving users the 
(questionable) sense that the message was strongly protected.

Of course one could argue that senders should just do better. But I 
don't find that a fully satisfying perspective.
After all, recipients can very easily reject such dubious messages, and 
surface their fishiness.


If there is indeed no legitimate reason why the length of a SEIPDv2 
session key should ever differ from the symmetric cipher key length, 
then I think we should clarify (with an erratum for RFC 9580?) that:

- The session key length for a SEIPDv2 packet must be equal to the 
symmetric cipher key length.
- Recipients must refuse to decrypt SEIPDv2 packets with session keys of 
differing length.

Thanks,
Heiko


PS: For reference, I have previously raised this point in 
https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/146, 
and this issue contains some discussion