IETF Logo Mail Archive

Re: [openpgp] Version 5 key and fingerprint proposal

Werner Koch <wk@gnupg.org> Wed, 08 March 2017 10:28 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5928D129479 for <openpgp@ietfa.amsl.com>; Wed, 8 Mar 2017 02:28:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JkD8qGsMbyDd for <openpgp@ietfa.amsl.com>; Wed, 8 Mar 2017 02:28:01 -0800 (PST)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2B79127071 for <openpgp@ietf.org>; Wed, 8 Mar 2017 02:28:01 -0800 (PST)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.84_2 #1 (Debian)) id 1clYp1-0008Ka-Ef for <openpgp@ietf.org>; Wed, 08 Mar 2017 11:27:55 +0100
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1clVcp-0005Id-F4; Wed, 08 Mar 2017 08:03:07 +0100
From: Werner Koch <wk@gnupg.org>
To: KellerFuchs <KellerFuchs@hashbang.sh>
References: <87varlou5m.fsf@wheatstone.g10code.de> <20170307230605.GA2@hashbang.sh>
Organisation: The GnuPG Project
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: url=https://k.gnupg.net/80615870F5BAD690333686D0F2AD85AC1E42B367
Mail-Followup-To: KellerFuchs <KellerFuchs@hashbang.sh>, openpgp@ietf.org
Date: Wed, 08 Mar 2017 08:02:54 +0100
In-Reply-To: <20170307230605.GA2@hashbang.sh> (KellerFuchs@hashbang.sh's message of "Tue, 7 Mar 2017 23:06:05 +0000")
Message-ID: <87efy8ntcx.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=domestic_disruption_undercover_ARPA_CDMA_Kennedy_S_Key_Crowell_Reno="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Q5TkKR3GBCv1gsMjiNkdjv_8hzA>
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Version 5 key and fingerprint proposal
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 10:28:09 -0000

On Wed,  8 Mar 2017 00:06, KellerFuchs@hashbang.sh said:

> Since it's not entirely clear (at least to me) if this means keeping the 20
> rightmost octets or dropping octets right of the 25th, not introducing it
> is not ideal.

What about this:

  -V4 keys use the untruncated 20 octet fingerprint; V5 keys use the
  -right truncated 25 octet fingerprint
  +V4 keys use the full 20 octet fingerprint; V5 keys use the
  +leftmost 25 octets of the fingerprint

   Note that the length N of the fingerprint for a version 4 key is 20
  -octets.  For a version 5 key N is 25 and the fingerprint is right
  -truncated to 25 octets.
  +octets.  For a version 5 key the leftmost 25 octets of the fingerprint
  +are used (N=25).

       key fingerprint, identifying the key material that is needed for
  -    the decryption.  For version 5 keys the fingerprint is right
  -    truncated to 20 octets.
  +    the decryption.  For version 5 keys the 20 leftmost octets of the
  +    fingerprint are used.


> Also, but I likely missed the relevant WG thread, why truncate the
> fingerprint to 200 bits? (Not that this is likely an issue.)

That was a suggestion from the Berlin meeting.

Given that even for SHA-1 no pre-image attack is known, we get quite
some security margin by using 200 bits from SHA-256 over the 160 from
SHA-1.

When a truncated SHA-256 shows weaknesses we only need to replace two
signature subpackets but the fingerrprint won't change.

Due to the use of the 'Issuer Fingerpint' the signatures grow in size by
22 octets which is substantal for ECC signatures.  With the full V5
fingerprint this would increase to 25 octets (34 - 9 from the not used
'Issuer' subpacket).  By truncating the fingerprint we will only use 18
octets which is even a saving compared to V4 keys.


Shalom-Salam,

   Werner

v2.23.0 | Report a Bug | By Email