[openpgp] Re: session key length with SEIPDv2
Falko Strenzke <falko.strenzke@mtg.de> Tue, 08 October 2024 14:45 UTC
Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC48FC180B53 for <openpgp@ietfa.amsl.com>; Tue, 8 Oct 2024 07:45:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cb-oOSEh4YwV for <openpgp@ietfa.amsl.com>; Tue, 8 Oct 2024 07:45:18 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39E70C151525 for <openpgp@ietf.org>; Tue, 8 Oct 2024 07:45:17 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 498Ej3TD031482 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 8 Oct 2024 16:45:03 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1728398703; bh=QMI9J1HxX2GD17oLTzaX/IOlNWJPAL06k9SOdyhxA4s=; h=Date:Subject:To:References:From:In-Reply-To; b=SCWDxXc2uI+2M7iU6w8fR9FTDNHCvOfXoh/RlEJt+QKXmi3aiEOKmTC8mQ0daW5ZY aErnsoqRmQUmwnojZHD7FQTs/s+cNzmfkdqU4rB19d6bAcinm3C4Gh5Z05ZNeNAHWW anX+yEO+5vgGSLmgwTNBvTU7eMcWul6oa42cWYaej1em/AnMWeLbvFekKomxVvQWwO C2+Pwchbx0h+215QuTn1rilI99h2y9kIELenzfle3na7uJmRlGFR6qSUFKbNgIWKa6 VAVjtMFSrYb1U5zSW890xxUVzBf2UR5wfZz8OJfjgTrGKus9XNFR2Mxe3j+GnREKmS /KmiuVuU0xWoA==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 498Ej3tV005475 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 8 Oct 2024 16:45:03 +0200
Message-ID: <cd727941-b547-4ef2-9e3c-609e93e1f3ab@mtg.de>
Date: Tue, 08 Oct 2024 16:45:02 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
References: <93b25cce-e9f7-40a7-881f-b81e3033e7b7@posteo.de> <HvPoeoRKHGaIbIcV2cwKvnY8uVH6UqJ2PUAlBu1AFmyr6plq6RNUGqQNKZE9RllDHSdDsmuPmTJeP-BX93cALBiNITsIg40HMFPPcy3Z_dQ=@protonmail.com> <87o73z7pwy.fsf@fifthhorseman.net> <WbuzsNz4I_wBvXGTTrh2mD0r5aAKVye2mZynPySokMkx3djh8a8Ad9GPbbFrAcc74REmwNmrH4trBmjJREDtfpVCdKOsI_PPz34hf2idEuM=@protonmail.com> <87ldyy7lwy.fsf@fifthhorseman.net>
Content-Language: en-GB
From: Falko Strenzke <falko.strenzke@mtg.de>
Organization: MTG AG
In-Reply-To: <87ldyy7lwy.fsf@fifthhorseman.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms060002020809030804050405"
Message-ID-Hash: JOEXAS7E3R25JJLPZ5CIAHJZNPIK2FPE
X-Message-ID-Hash: JOEXAS7E3R25JJLPZ5CIAHJZNPIK2FPE
X-MailFrom: falko.strenzke@mtg.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [openpgp] Re: session key length with SEIPDv2
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/WvN-UcelwTiaNpv9_ndExsiAbzo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
While I generally agree that consumer guidance should be strict as well in order to reveal drastic usage errors of the producer, the problem in this specific case is that the official spec doesn't provide either guidance so far. Suggesting that the consumer rejects shorter data encryption keys in the errata seems prone to cause interoperability errors with producers that interpret the spec differently. They might for instance always produce 256 bit session keys even when using AES 128 for the payload encryption. So we can't simply look at it from the perspective that a mismatch is a security reduction – it might simply be an excessively strong session key from the perspective of the producer. In my view the consumer guidance should state that a warning or error SHOULD be issued if an existing requirement for the security level is violated by either the size of the session key or that of the data encryption key – rather than checking only the size of one of them. The real risk seems to be that when trying to enforce a certain security level, an implementation might make the error of just checking the size of the session key, because of the two keys that is the one that has existed so far. Falko Am 08.10.24 um 15:40 schrieb Daniel Kahn Gillmor: > On Sat 2024-10-05 15:42:19 +0000, Daniel Huigens wrote: >> All of that is not to say that I'm opposed to consumer guidance, but I >> think (normative) producer guidance is the more important part and the >> part that can more unambiguously be shown to have been intended given >> the above quotes of RFC9580, and thus I think it could go in an erratum? >> Whereas if we want consumer guidance (for SEIPDv2 and v1) I'd expect >> it'd have to go somewhere else. But, lmk if you disagree, of course. > Producer guidance without consumer guidance seems rather toothless to > me, but i'd be curious to know what the rest of the WG thinks about > this. > > Here's a stab at fairly wishy-washy proposed guidance for both sides > that tries to explicitly state what i expect is the status quo: > > When producing a message using SEIPD v2 with corresponding PKESKs > or SKESKs, The length of the session key MUST equal the key size of > the symmetric algorithm used in the encryption container. > > When handling a message that uses SEIPD v2, if the session key size > does not equal the key size of the symmetric algorithm used in the > encryption container, the consuming implementation SHOULD warn that > the message is malformed, and MAY decline to decrypt the message. > > This consumer guidance is itself still fairly toothless, but at least it > describes the range of likely responses that justify the MUST on > interoperability grounds. > > wdyt? > > --dkg > > _______________________________________________ > openpgp mailing list --openpgp@ietf.org > To unsubscribe send an email toopenpgp-leave@ietf.org -- *MTG AG* Dr. Falko Strenzke Phone: +49 6151 8000 24 E-Mail: falko.strenzke@mtg.de Web: mtg.de <https://www.mtg.de> ------------------------------------------------------------------------ MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: Jürgen Ruf (CEO), Tamer Kemeröz Chairman of the Supervisory Board: Dr. Thomas Milde This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted. Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy>
- [openpgp] session key length with SEIPDv2 Heiko Schäfer
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Justus Winter
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor