Re: [openpgp] Review of crypto-refresh 07
Falko Strenzke <falko.strenzke@mtg.de> Thu, 17 November 2022 15:02 UTC
Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF478C14CF06 for <openpgp@ietfa.amsl.com>; Thu, 17 Nov 2022 07:02:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jaR9tGy5uCW5 for <openpgp@ietfa.amsl.com>; Thu, 17 Nov 2022 07:02:28 -0800 (PST)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C883C1524C9 for <openpgp@ietf.org>; Thu, 17 Nov 2022 07:01:18 -0800 (PST)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.17.1/8.17.1) with ESMTPS id 2AHF1EhD007871 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Thu, 17 Nov 2022 16:01:14 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1668697274; bh=Agw5JEsCgunXpR4csTUnE3FqXaKc/TwTsrA5XG3RuY0=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=CpjRSesb+iMuUjb8/VwavO4Jh8RKAe5NbrtBLDdocaAT1Ff/SgAeS6whSUhKO3k2m JQ/SkicHlxJ7q+I8vKoN1mDp+YHXLEsZ+ypuTiYLiaYoR4gVLu+C8aHV2kMWNozc+0 BYQkX2Rdf+v6GVRb6PX1+Wo/3fSv1EPJslfLH8mOwJO/bunP3V86p8Ds6ltkJmMwoL YiOiW3E1L0K0SkVjimIt+2YB4GD7gr33LRnxnT8n7qvRYtDXfIqQQlls45Yru9bJ7p Xmpk2LbLjxpfwEJs6mMFg8K6ASEjYKgMgoVVOp7Vp8NMCXjPu6g6dTh/vZIlbgNacc hvTKhVx1EHiSw==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.17.1/8.17.1) with ESMTPS id 2AHF1C1i020918 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Thu, 17 Nov 2022 16:01:12 +0100
Message-ID: <bdb8b9d4-da9c-ca35-c3b1-20db01f56426@mtg.de>
Date: Thu, 17 Nov 2022 16:01:12 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
Content-Language: de-DE, en-GB
To: Paul Wouters <paul@nohats.ca>
Cc: openpgp@ietf.org
References: <9901f3c9-7944-e8a0-d2e5-a0aced7cbc3b@mtg.de> <e3837d24-37f5-2313-e15c-c389814e6a1a@nohats.ca>
From: Falko Strenzke <falko.strenzke@mtg.de>
In-Reply-To: <e3837d24-37f5-2313-e15c-c389814e6a1a@nohats.ca>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms090904000404080801030301"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Wwvs0BmVGIHRmzlCVwgJl6f5GiY>
Subject: Re: [openpgp] Review of crypto-refresh 07
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2022 15:02:33 -0000
Hi Paul, Am 16.11.22 um 23:01 schrieb Paul Wouters: > On Wed, 16 Nov 2022, Falko Strenzke wrote: > ## 9.2. ECC Curves for OpenPGP > The alternative to not even checking MD5 is worse. The text states to > use this only for old (stored) messages, not new incoming messages. The alternative I propose would be to indicate a verification failure. MD5 is broken and generally phased out as a signature hash algorithm since about 20 years. Note that the same document forbids the verification of RSA signatures with less than 2048 bit keys: "An implementation MUST NOT encrypt, sign or verify using RSA keys of size less than 2048 bits". An RSA key between 1024 and 2047 bits is not yet broken. For MD5, anyone can download tools to build collisions on the internet and forge signatures. So I think it would be good to have a clarification why these cases are treated so differently by this specification. Also I am not sure to understand the whole concept of "old signatures" that are known to be stored for a long time. If one knows to have received a message long ago and that it is unmodified since then, what is then the gain of a repeated signature verification at all? If I really now that a message is unmodified since a time in the past where I received it and back then I still trusted the signature mechanism (including the hash function), I don't need a new signature verification at all. If I think I need to repeat the verification, my trust in the message not having been modified apparently is not high enough. And for sure non-repudiation is completely irrelevant in the view of a broken hash algorithm. >> ### Table 32 >> >> "Table 32: Key length equivalences" would benefit from making clear >> to what algorithms "Asymmetric key size" pertains and from the >> addition of EC key sizes. > > There is no specific algorithm for these "rough estimates" of strength. > We are simply quoting NIST and they have generalized these numbers. I do > not think a text change is needed here. What I meant by "algorithm" is what cryptographic algorithm that column pertains to. Clearly, the column "Asymmetric key size" refers to RSA and DL groups. Extending it by ECC key sizes would make sense in my opinion as that is the current preferred standard in OpenPGP if I understand correctly. See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf page 67 for the security strengths of ECC parameter sizes. > >> ### 14.7. Avoiding Ciphertext Malleability >> >> The list following the sentence "Any of the following OpenPGP data >> elements indicate that malleable ciphertext is present:" mixes >> instances of malleable ciphertext formats with non-malleable >> ciphertext formats where the ciphertext has been manipulated. This >> should be corrected. > > Do you have specific text in mind? Split the listing in two, or remove > the entries that have no malleable ciphertext ? I would split the list. If preferred I can make a merge request with a proposal. > ## 14.7. Avoiding Ciphertext Malleability >> >>> When encrypting to one or more public keys: all recipient keys >> indicate support for version >> >> Insert "If" after the colon. > > I cannot locate this text? Perhaps it was changed since you read it, or > this was a note of you based on an older version? This is the link: https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-14.7-9.2.1 > >> ## A general note on terminology used to refer to bits >> >> * In certain places bits in a byte are referred to by number, e.g. >> "bit 7". There is an instance where the meaning of this numbering is >> explained, but it is contained in a section under which it is not >> easily found. I recommended to >> introduce this notation in a preliminary section for easy reference. > > Please provide text and location where you would want this. The definition of the bit numbering is given here: https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#name-packet-headers A use of the numbering is found here: https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.2.3.5-10 and here: https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.3.2-4 and more places. The specification of the bit numbering could be given in a new section under Section 3 https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#name-data-element-formats If the section numbering shall remain unchanged, one could put it instead into the existing section https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#name-scalar-numbers (with a possible title change, but strictly viewed, octets are just 8-bit scalar numbers) > >> ## 4.1 Overview >> >>> In the event that a subfield length indicator within a packet implies >> inclusion of octets outside the range indicated in the packet header, >> a parser MUST truncate the subfield at the octet boundary indicated >> in the packet header. Such a >> truncation renders the packet malformed and unusable. >> >> If the packet becomes invalid altogether, it is not necessary to >> describe the truncation of the subfield. In the current form, this >> paragraph seems a bit confusing and bears the risk >> that it is interpreted differently by readers. It should be clearly >> said by the specification if a packet becomes malformed and must be >> ignored / flagged as erroneous when one of its subfields refers to >> octets outside the packet's range. > > I think what this is trying to do is prevent out of bounds writing, > which could possibly lead to remote code execution. I've changed it to: > > In the event that a subfield length indicator within a packet implies > inclusion of octets outside the range indicated in the packet > header, a > parser MUST abort without writing outside the indicated range and > MUST > treat the packet as malformed and unusable. I think this paragraph is rather about preventing *reading* outside the packet range. So I would replace the word "writing" with "reading" in your proposed text. > ## 11.3. OpenPGP Messages >> >>> (comma represents sequential composition, and vertical bar separates >> alternatives) >> >> I propose to add "([...] alternatives >> *, where the comma operator takes precedence over the bar operator*)" > > I don't think that is needed, as | represents an alternative, so clearly > it works as an OR and then the binding becomes logical anyway, eg: > > : Signature Packet, OpenPGP Message | One-Pass Signed Message. > > Though reading this now, that makes no sense for this one: > > : OpenPGP Message | OpenPGP Message, Padding Packet. > > So even your interpretation is wrong :) For this example: Optionally Padded Message :- OpenPGP Message | OpenPGP Message, Padding Packet I still think my interpretation is correct also here: when the comma takes precedence, it has to be read as Optionally Padded Message :- OpenPGP Message | (OpenPGP Message, Padding Packet) which is what I understand is meant. But it would be good to have this interpretation confirmed to be valid for the whole list. - Falko > > Perhaps this last one should have been: > > : OpenPGP Message , OpenPGP Message | Padding Packet. > > This could use some clarification on the list as well before making > changes. > > Thanks again for the review! > > Paul -- *MTG AG* Dr. Falko Strenzke Executive System Architect Phone: +49 6151 8000 24 E-Mail: falko.strenzke@mtg.de Web: mtg.de <https://www.mtg.de> *MTG Exhibitions 2022 – Let´s meet again!* ------------------------------------------------------------------------ <https://www.itsa365.de/de-de/companies/m/mtg-ag> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: Jürgen Ruf (CEO), Tamer Kemeröz Chairman of the Supervisory Board: Dr. Thomas Milde This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email. Unauthorised copying or distribution of this email is not permitted. Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy>
- [openpgp] Review of crypto-refresh 07 Falko Strenzke
- Re: [openpgp] Review of crypto-refresh 07 Paul Wouters
- Re: [openpgp] Review of crypto-refresh 07 Andrey Jivsov
- Re: [openpgp] Review of crypto-refresh 07 Falko Strenzke
- Re: [openpgp] Review of crypto-refresh 07 Falko Strenzke
- Re: [openpgp] Review of crypto-refresh 07 Andrey Jivsov
- Re: [openpgp] Review of crypto-refresh 07 Falko Strenzke