Re: [openpgp] [PATCH] RFC4880bis: Argon2i

Nils Durner <ndurner@googlemail.com> Tue, 03 November 2015 06:54 UTC

Return-Path: <ndurner@googlemail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A25751B2ED9 for <openpgp@ietfa.amsl.com>; Mon, 2 Nov 2015 22:54:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bh0ODmM9KpfQ for <openpgp@ietfa.amsl.com>; Mon, 2 Nov 2015 22:54:51 -0800 (PST)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F4AB1B2ED8 for <openpgp@ietf.org>; Mon, 2 Nov 2015 22:54:51 -0800 (PST)
Received: by wicfx6 with SMTP id fx6so63217778wic.1 for <openpgp@ietf.org>; Mon, 02 Nov 2015 22:54:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=Mto9TQLzf4dysZUhDJO8n+Phf7eFf4SIH1gue8N28N4=; b=EnTkF6Rb58u/YCSBVrS+rTPUwkOWiVWaWhOQHf1ClWQxthZp+jU2pARobmakyXJJf7 50mJ0vRjDpobJUyuHy445XxA3jUWbLC1+tWfaHHwoXouVOTsyrAJSz9vYKhcLOhPSXi5 nXut6+mIO/3V/TE0Ct6kluM85rpn3LWcNGyjkS0aEpbilq2hpYJbP991/TooIa8adrNd e82tphZ2yZwonvvHnFGrhDzeWHMPLGO6KHCYs1PvSiswF7VUklNMAHrKARRSVQWKpo+5 OyDU/4ImuFGnqHa2vgjA+frGZ2+7cD6AG5RFqwdjzNO8E4zXY/DphuiRi/kF5zpI43At rBXg==
X-Received: by 10.195.18.6 with SMTP id gi6mr26854207wjd.47.1446533689803; Mon, 02 Nov 2015 22:54:49 -0800 (PST)
Received: from [192.168.188.46] (x4db00818.dyn.telefonica.de. [77.176.8.24]) by smtp.googlemail.com with ESMTPSA id w73sm21853395wme.12.2015.11.02.22.54.49 for <openpgp@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Nov 2015 22:54:49 -0800 (PST)
To: openpgp@ietf.org
References: <5623AA95.4060903@googlemail.com> <874mh3q3ol.fsf@alice.fifthhorseman.net> <56382F70.5000501@iang.org>
From: Nils Durner <ndurner@googlemail.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56385A38.6000707@googlemail.com>
Date: Tue, 3 Nov 2015 07:54:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <56382F70.5000501@iang.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Wh41v3JIT9VdcMe_6BxAKxhwoEM>
Subject: Re: [openpgp] [PATCH] RFC4880bis: Argon2i
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2015 06:54:52 -0000

Hi Ian,

> I agree with all the rest, but can we also deprecate some old stuff as
> well?
>
> Can we construct a plan e.g., that no existing S2K be used with new
> keys and the new form not be used with old keys?

I have made salt-based methods mandatory in my patch:
> +Implementations MUST generate S2K specifiers that include salts
> +(either type 2, 3 or 4), as simple S2K specifiers are more vulnerable to
(type 2 should actually be "type 1")
> +dictionary attacks. Use of Argon2i is RECOMMENDED as it offers
> +protection against massive-parallel and side-channel attacks. When
> +reading S2K specifiers that do not include salts, implementations SHOULD
> +issue a warning about potentially insecure methods being used. When
> +reading S2K specifiers other than Argon2i, implementations SHOULD issue
> +a warning about outdated methods being used.

We can of course raise the bar by excluding types 1 & 3 entirely.


Regards,

Nils