[openpgp] Choices for AEAD modes [was: AEAD and Rome]
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 14 June 2022 23:40 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85B78C15AAE6 for <openpgp@ietfa.amsl.com>; Tue, 14 Jun 2022 16:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.315
X-Spam-Level:
X-Spam-Status: No, score=-1.315 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=Cw29rWQ0; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=eeF0UtE7
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 40NblGRoro52 for <openpgp@ietfa.amsl.com>; Tue, 14 Jun 2022 16:40:26 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42B98C14CF00 for <openpgp@ietf.org>; Tue, 14 Jun 2022 16:40:26 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1655250023; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=C6MLgcaMVG8eEYRFWw+qasR4gTV8OgUo6so8XGZjdhc=; b=Cw29rWQ0oBtCJhT7VdqkUsAHuB/tQZyOYLl/LPkXxz0gDE92ReB+VeSuzYg28hCQ/hKll cOJEwkARS8bBBLHCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1655250023; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=C6MLgcaMVG8eEYRFWw+qasR4gTV8OgUo6so8XGZjdhc=; b=eeF0UtE7oNcCE5rQathz36hxkogytH5HQGquUZ9DxREVThuX9u6a74rnXGbD7xE9qXVmg 3j7FKeStPy4ubVKW9NSO3HjuLg7H9BRxK28kRR0+Do422Ynkb4j0qUanEnD7BFrFF+gLGUH 6UHOOTRmvV8JX4CGVC0LUeW7o319o/AOxEAVPxERUoiAK37d1InhYa28C9nPmq+YpEl0Gvc X5ToNFRp+ZVy/sc3xvAowWOkuSj43F+ObVNGNgaoJJvc5NTXA7Kr+br5UGrl3+uUJhoZWXD 8CocPJFzZ2scXK93xPjj9yJE+0uJWwvCxkKZkoZDEw84yVOMAzgGtilVd3sA==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 41370F9AD for <openpgp@ietf.org>; Tue, 14 Jun 2022 19:40:23 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 8145320546; Tue, 14 Jun 2022 19:40:20 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <mAnMlR7HNIXC0Mzquewg8bVEHE9cqSkScWwn7zNyD0GBWXzr6CFS858ENPS6fPzVV7TyIbkOhgiG75aVKSuw2EBeCc_SDYpaG5IIzmDGemQ=@protonmail.com>
References: <BB9D0AB9-CC8C-420E-8082-E9F64B09BF46@ribose.com> <7547a547-bb71-2bdd-f85e-91d46476bc6@nohats.ca> <54B2F360-C996-4A5D-BE3D-6EA405406C68@icloud.com> <YqPEw8OIlf0PG40T@camp.crustytoothpaste.net> <25c3a7b5-07ef-1521-1a14-43ef0c7b4043@cs.tcd.ie> <SY4PR01MB6251D365368552630ECCD720EEA99@SY4PR01MB6251.ausprd01.prod.outlook.com> <4dd0ad8b-9de7-15e6-a9ef-e0401acd69f8@sixdemonbag.org> <p_7pskU0MxbpIjGwmAUTMmFsJxjA8QRQCGDbCfrYQTSXocrlDUFDdNuHXChjBwy3RAc2eA_mRIyGFDWD6u5peNNL_F9I3yUYXAa5Khy5XqE=@protonmail.com> <87y1y0bj9r.fsf_-_@wheatstone.g10code.de> <mAnMlR7HNIXC0Mzquewg8bVEHE9cqSkScWwn7zNyD0GBWXzr6CFS858ENPS6fPzVV7TyIbkOhgiG75aVKSuw2EBeCc_SDYpaG5IIzmDGemQ=@protonmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 14 Jun 2022 19:40:19 -0400
Message-ID: <87o7yuoluk.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/RD4LH-lClqUkXVpNE5jl6PzP1S4>
Subject: [openpgp] Choices for AEAD modes [was: AEAD and Rome]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2022 23:40:30 -0000
On Mon 2022-06-13 18:19:58 +0000, Daniel Huigens wrote: > However, if the general goal is to have as few algorithms as possible, > I also wouldn't be entirely opposed to having only OCB. Since the beginning of work on rfc4880bis years ago, one of the things that we've done as a working group is to reduce constraints on algorithmic flexibility. For example, in draft-ietf-openpgp-rfc4880bis-06 (back in 2018, ugh), most of the registries were changed from "IETF Consensus" to "Specification Required", to enable new cryptographic primitives to be added relatively easily. I'm not entirely convinced this is the best possible outcome, but it's a baseline that we've stuck with for multiple years now. It would be a little bit odd to try to change this strategy now as we are in WGLC for this document at long last. I'll observe initially that we do seem to have consensus in the WG that OCB is the mantadory-to-implement (MTI) AEAD mode, and any other mode is optional. I haven't heard anyone object to that baseline yet, even as we discuss different choices about non-MTI modes. Let me lay out the choices as i understand them with regard to the AEAD modes here: a) we can leave the current table of AEAD modes as it is. OCB remains MTI, other AEAD modes are explicitly optional. The key derivation function maintains key separation across algorithm modes so that no key will be potentially misused across modes by packet metadata manipulation. b) we can strip the table down so that it only contains OCB, but otherwise leaves the SEIPDv2 packet framing and key derivation mechanisms intact. c) we can remove any option for choice of AEAD mode, remove the table of AEAD modes entirely, and simply declare that SEIPDv2 is OCB. The key derivation function wouldn't include the AEAD mode, but presumably it would still include the packet version. d) we can revert to rfc4880bis-10's AEAD packet framing and key schedule, with its table of AEAD modes, without guarantees of key separation, and without GCM, but switched to OCB as the MTI mode. e) we could adopt some variant of rfc4880bis-10's AEAD packet framing and key schedule that only permits OCB, while removing the table of AEAD modes. option (b) is odd: if the AEAD mode table is "specification required", then surely GCM and EAX suffice (specifications are available), and existing implementations already handle them. Why should we *not* populate the table with a small handful of known AEAD algorithms now, and providing test vectors for them for improved interop. Even if we drop them from the crypto-refresh draft, I'd expect the people who want GCM (e.g. for FIPS compliance, or for optimized implementations dependent on WebCrypto) would want to come back and add them in again later. So i don't see the advantage over (a). option (c) would be a significant change to the spec, and it moves away from the "specification required" approach generally. I can see the advantage of doing so for increased interoperability, but this would be a little bit strange to argue for in the context of also arguing for inclusion of the Brainpool curves. Presumably we want Brainpool curves in the draft so that people with specific cryptographic requirements can meet their goals with OpenPGP. Surely the same argument holds for things like GCM? At least with AEAD modes we have capabilities/preferences advertising mechanism to indicate their preferred use, while we *don't* have any such thing for specific asymmetric algorithms. So arbitrary curves are even more risky for interop than supporting arbitrary cipher modes. Why would we want to support inclusion of different curves but not different AEAD modes? option (d) is problematic because a "specification required" registry would presumably soon have GCM added by folks who want it, but the lack of key separation between modes means that addition of a new mode like GCM risks introducing problems with cross-mode key abuse. This key separation is one of the reasons that the design team moved to the SEIPDv2 framing and key schedule in the first place. If there's going to be a table of AEAD algorithms, and we're going to permit new registrations in it, having a key derivation approach that makes it impossible to reuse a key across modes (either accidentally or through malice) is an important safeguard. option (e) shares the surprising change in registry strategy with (c), it changes the semantics of an already-reserved codepoint, *and* it has the disadvantage over (d) that no one has ever implemented this. So from what i can see, none of the options are clear improvements on (a), which is the approach outlined in draft-ietf-openpgp-crypto-refresh-06. Is there some other option that i'm not considering? --dkg PS If anyone is interested in trying to specify some kind of minimal-algorithm-flexibility updated version of OpenPGP, e.g. a v3 SEIPD, v6 SKESK, v6 key, v6 signature, and v6 PKESK all with fixed algorithm choices, that strikes me as an interesting project for being able to use a very minimalist OpenPGP implementation in a greenfield application. I don't know whether the WG could get consensus around what those algorithm choices would be, but I could imagine this work as something done in a rechartered working group, alongside the the interesting discussions we've had recently about algorithm expiration dates. I would be pretty sad if that kind of work ended up delaying the release of the crypto-refresh draft, though. I'd see the crypto-refresh draft as a kind of baseline for this approach.
- [openpgp] I-D Action: draft-ietf-openpgp-crypto-r… internet-drafts
- Re: [openpgp] I-D Action: draft-ietf-openpgp-cryp… Paul Wouters
- [openpgp] First remarks on the last I-D (Was: I-D… Werner Koch
- Re: [openpgp] First remarks on the last I-D (Was:… Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… Justus Winter
- Re: [openpgp] First remarks on the last I-D (Was:… Stephen Farrell
- Re: [openpgp] First remarks on the last I-D (Was:… Daniel Huigens
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Ronald Tse
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… brian m. carlson
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D brian m. carlson
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Paul Schaub
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Daniel Huigens
- [openpgp] AEAD and Rome (was: First remarks on th… Werner Koch
- Re: [openpgp] AEAD and Rome (was: First remarks o… Daniel Huigens
- [openpgp] Choices for AEAD modes [was: AEAD and R… Daniel Kahn Gillmor
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Justus Winter
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Paul Wouters
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… brian m. carlson
- Re: [openpgp] Choices for AEAD modes Ronald Tse
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes Stephen Farrell