IETF Logo Mail Archive

Re: [openpgp] Review of crypto-refresh 07

Falko Strenzke <falko.strenzke@mtg.de> Thu, 17 November 2022 15:02 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF478C14CF06 for <openpgp@ietfa.amsl.com>; Thu, 17 Nov 2022 07:02:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jaR9tGy5uCW5 for <openpgp@ietfa.amsl.com>; Thu, 17 Nov 2022 07:02:28 -0800 (PST)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C883C1524C9 for <openpgp@ietf.org>; Thu, 17 Nov 2022 07:01:18 -0800 (PST)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.17.1/8.17.1) with ESMTPS id 2AHF1EhD007871 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Thu, 17 Nov 2022 16:01:14 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1668697274; bh=Agw5JEsCgunXpR4csTUnE3FqXaKc/TwTsrA5XG3RuY0=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=CpjRSesb+iMuUjb8/VwavO4Jh8RKAe5NbrtBLDdocaAT1Ff/SgAeS6whSUhKO3k2m JQ/SkicHlxJ7q+I8vKoN1mDp+YHXLEsZ+ypuTiYLiaYoR4gVLu+C8aHV2kMWNozc+0 BYQkX2Rdf+v6GVRb6PX1+Wo/3fSv1EPJslfLH8mOwJO/bunP3V86p8Ds6ltkJmMwoL YiOiW3E1L0K0SkVjimIt+2YB4GD7gr33LRnxnT8n7qvRYtDXfIqQQlls45Yru9bJ7p Xmpk2LbLjxpfwEJs6mMFg8K6ASEjYKgMgoVVOp7Vp8NMCXjPu6g6dTh/vZIlbgNacc hvTKhVx1EHiSw==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.17.1/8.17.1) with ESMTPS id 2AHF1C1i020918 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Thu, 17 Nov 2022 16:01:12 +0100
Message-ID: <bdb8b9d4-da9c-ca35-c3b1-20db01f56426@mtg.de>
Date: Thu, 17 Nov 2022 16:01:12 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
Content-Language: de-DE, en-GB
To: Paul Wouters <paul@nohats.ca>
Cc: openpgp@ietf.org
References: <9901f3c9-7944-e8a0-d2e5-a0aced7cbc3b@mtg.de> <e3837d24-37f5-2313-e15c-c389814e6a1a@nohats.ca>
From: Falko Strenzke <falko.strenzke@mtg.de>
In-Reply-To: <e3837d24-37f5-2313-e15c-c389814e6a1a@nohats.ca>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms090904000404080801030301"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Wwvs0BmVGIHRmzlCVwgJl6f5GiY>
Subject: Re: [openpgp] Review of crypto-refresh 07
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2022 15:02:33 -0000

Hi Paul,

Am 16.11.22 um 23:01 schrieb Paul Wouters:
> On Wed, 16 Nov 2022, Falko Strenzke wrote:
> ## 9.2. ECC Curves for OpenPGP
> The alternative to not even checking MD5 is worse. The text states to
> use this only for old (stored) messages, not new incoming messages.

The alternative I propose would be to indicate a verification failure. 
MD5 is broken and generally phased out as a signature hash algorithm 
since about 20 years.

Note that the same document forbids the verification of RSA signatures 
with less than 2048 bit keys: "An implementation MUST NOT encrypt, sign 
or verify using RSA keys of size less than 2048 bits". An RSA key 
between 1024 and 2047 bits is not yet broken. For MD5, anyone can 
download tools to build collisions on the internet and forge signatures. 
So I think it would be good to have a clarification why these cases are 
treated so differently by this specification.

Also I am not sure to understand the whole concept of "old signatures" 
that are known to be stored for a long time. If one knows to have 
received a message long ago and that it is unmodified since then, what 
is then the gain of a repeated signature verification at all? If I 
really now that a message is unmodified since a time in the past where I 
received it and back then I still trusted the signature mechanism 
(including the hash function), I don't need a new signature verification 
at all. If I think I need to repeat the verification, my trust in the 
message not having been modified apparently is not high enough. And for 
sure non-repudiation is completely irrelevant in the view of a broken 
hash algorithm.


>> ### Table 32
>>
>> "Table 32: Key length equivalences" would benefit from making clear 
>> to what algorithms "Asymmetric key size" pertains and from the 
>> addition of EC key sizes.
>
> There is no specific algorithm for these "rough estimates" of strength.
> We are simply quoting NIST and they have generalized these numbers. I do
> not think a text change is needed here.
What I meant by "algorithm" is what cryptographic algorithm that column 
pertains to. Clearly, the column "Asymmetric key size" refers to RSA and 
DL groups. Extending it by ECC key sizes would make sense in my opinion 
as that is the current preferred standard in OpenPGP if I understand 
correctly. See 
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf 
page 67 for the security strengths of ECC parameter sizes.
>
>> ###  14.7. Avoiding Ciphertext Malleability
>>
>> The list following the sentence "Any of the following OpenPGP data 
>> elements indicate that malleable ciphertext is present:" mixes 
>> instances of malleable ciphertext formats with non-malleable 
>> ciphertext formats where the ciphertext has been manipulated. This 
>> should be corrected.
>
> Do you have specific text in mind? Split the listing in two, or remove
> the entries that have no malleable ciphertext ?
I would split the list. If preferred I can make a merge request with a 
proposal.
> ## 14.7. Avoiding Ciphertext Malleability
>>
>>> When encrypting to one or more public keys: all recipient keys 
>> indicate support for version
>>
>> Insert "If" after the colon.
>
> I cannot locate this text? Perhaps it was changed since you read it, or
> this was a note of you based on an older version?
This is the link: 
https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-14.7-9.2.1
>
>> ## A general note on terminology used to refer to bits
>>
>> * In certain places bits in a byte are referred to by number, e.g. 
>> "bit 7". There is an instance where the meaning of this numbering is 
>> explained, but it is contained in a section under which it is not 
>> easily found. I recommended to
>>   introduce this notation in a preliminary section for easy reference.
>
> Please provide text and location where you would want this.

The definition of the bit numbering is given here: 
https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#name-packet-headers

A use of the numbering is found here: 
https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.2.3.5-10

and here: 
https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.3.2-4

and more places.

The specification of the bit numbering could be given in a new section 
under Section 3 
https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#name-data-element-formats

If the section numbering shall remain unchanged, one could put it 
instead into the existing section 
https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#name-scalar-numbers 
(with a possible title change, but strictly viewed, octets are just 
8-bit scalar numbers)

>
>> ## 4.1 Overview
>>
>>>  In the event that a subfield length indicator within a packet implies 
>> inclusion of octets outside the range indicated in the packet header, 
>> a parser MUST truncate the subfield at the octet boundary indicated 
>> in the packet header. Such a
>> truncation renders the packet malformed and unusable.
>>
>> If the packet becomes invalid altogether, it is not necessary to 
>> describe the truncation of the subfield. In the current form, this 
>> paragraph seems a bit confusing and bears the risk
>> that it is interpreted differently by readers. It should be clearly 
>> said by the specification if a packet becomes malformed and must be 
>> ignored / flagged as erroneous when one of its subfields refers to 
>> octets outside the packet's range.
>
> I think what this is trying to do is prevent out of bounds writing,
> which could possibly lead to remote code execution. I've changed it to:
>
>     In the event that a subfield length indicator within a packet implies
>     inclusion of octets outside the range indicated in the packet 
> header, a
>     parser MUST abort without writing outside the indicated range and 
> MUST
>     treat the packet as malformed and unusable.
I think this paragraph is rather about preventing *reading* outside the 
packet range. So I would replace the word "writing" with "reading" in 
your proposed text.
> ## 11.3. OpenPGP Messages
>>
>>>  (comma represents sequential composition, and vertical bar separates 
>> alternatives)
>>
>> I propose to add "([...] alternatives
>> *, where the comma operator takes precedence over the bar operator*)"
>
> I don't think that is needed, as | represents an alternative, so clearly
> it works as an OR and then the binding becomes logical anyway, eg:
>
>     : Signature Packet, OpenPGP Message | One-Pass Signed Message.
>
> Though reading this now, that makes no sense for this one:
>
>     : OpenPGP Message | OpenPGP Message, Padding Packet.
>
> So even your interpretation is wrong :)

For this example:

Optionally Padded Message :- OpenPGP Message | OpenPGP Message, Padding 
Packet

I still think my interpretation is correct also here: when the comma 
takes precedence, it has to be read as

Optionally Padded Message :- OpenPGP Message | (OpenPGP Message, Padding 
Packet)

which is what I understand is meant. But it would be good to have this 
interpretation confirmed to be valid for the whole list.

- Falko

>
> Perhaps this last one should have been:
>
>     : OpenPGP Message , OpenPGP Message | Padding Packet.
>
> This could use some clarification on the list as well before making 
> changes.
>
> Thanks again for the review!
>
> Paul
-- 

*MTG AG*
Dr. Falko Strenzke
Executive System Architect

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>


*MTG Exhibitions 2022 – Let´s meet again!*

------------------------------------------------------------------------
<https://www.itsa365.de/de-de/companies/m/mtg-ag>

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email. Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>

v2.23.0 | Report a Bug | By Email