Re: [openpgp] on the risks of pubkey codepoint parameterization [was: another suggestion for a way fwd with hybrid sigs]
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 06 March 2024 23:28 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91167C14F61A for <openpgp@ietfa.amsl.com>; Wed, 6 Mar 2024 15:28:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="ylyZ2bC/"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="OfYzO6zG"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9HHBivqoETj for <openpgp@ietfa.amsl.com>; Wed, 6 Mar 2024 15:28:00 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D18A9C14F617 for <openpgp@ietf.org>; Wed, 6 Mar 2024 15:27:59 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1709767677; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=mlbW40MXIrOGJMZ5kSO5d9fFw4eyHQ5svtJPHM0eVuQ=; b=ylyZ2bC/CDSPWIVqe4Nud5kQvhZLhRtC+rNP8hUxn88t1SzRicd7X/c6x1qqVlTHG3ZUW NJtjxs2yjoUyPSUCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1709767677; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=mlbW40MXIrOGJMZ5kSO5d9fFw4eyHQ5svtJPHM0eVuQ=; b=OfYzO6zG012w3yUzhU8mr6CqLn8Ei4x1T2IqwPH2JbscBVHZPqZZqSWY3OIWRaZ8GHQzN Ka7xsAkTjYWzSs8w2yWC7AlpOf/zxlOg/VXUex+ZrgqbFw1PZv3zqQGT0Mj597H9c2kgnLm WRoCoLQWI0yZzlmDPFj3uDXRBpRBdUZ6DyuHZMd8trmJYL5BB+3D//Zvhye3kdxwGniVacL ojj7fiLToYkFRtbrZknbrHZIE44HHRN47WHLh/DUHxiqm0j0EJsSl69v80X638oGXv6flg7 qG6YARp4++f2IXsdJB4STedjsJ50AmYhR+tb5X+Efid/I6kWitGHwq/I6hzA==
Received: from fifthhorseman.net (AMERICAN-CI.ear2.NewYork6.Level3.net [4.59.214.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 62688F9D8 for <openpgp@ietf.org>; Wed, 6 Mar 2024 18:27:57 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 103422040F; Wed, 6 Mar 2024 18:27:52 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <fN68fEVrKeFAoLM161zKFrIUp8w-murqT3agVbp9m-PYG0C1lQXTCLY_nK-R2Uw2prxC0RbJWkBwh7ymTEkCvW-ICN5UyzaWNmGoTKvgVjI=@protonmail.com>
References: <393c208b-cd46-4ccb-95ad-8fc276b241f0@cs.tcd.ie> <fN68fEVrKeFAoLM161zKFrIUp8w-murqT3agVbp9m-PYG0C1lQXTCLY_nK-R2Uw2prxC0RbJWkBwh7ymTEkCvW-ICN5UyzaWNmGoTKvgVjI=@protonmail.com>
Autocrypt: addr=Daniel Kahn Gillmor; prefer-encrypt=mutual; keydata= xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/YO+5Zi7HCi QQfFgoAMQWCZadnIAUJBdtHCwMLCQcDFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu36RAUlea/ cACgkQu36RAUlea/edDQD+M2QjnoEyu/TjI+gRXBpXQ5jCsnnp9FdYhaSSUW/vZ8kBAJByWlj A9aMfVaVrmvgcYw7jzJz+gmZspBRB++5LZ20NzRc8ZGtnQGZpZnRoaG9yc2VtYW4ubmV0PsLA EQQTFgoAeQMLCQdHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEu/CS CeyWwC6j4ihJr2u/z6delsF1pvYW3ufgf1L538DFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu3 6RAUlea/cFAmWnX5AFCQXZ8EUACgkQu36RAUlea/cjVwD+ONjdHM74rAa6EEiiqaPjlptiaZx CVqFYXnib6EbZARkBAPnnR8pW8vCBnDXHKu65jNqwF3aH761NaOqqMFfppg8GzjMEZXEJyxYJ KwYBBAHaRw8BAQdAjX25Fq2Q9IUFeHy6yByIQPBnFOedFliuEiCIUzJsENDCwMUEGBYKAS1HF AAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnwqKWsw56uoWVLIFcs7ZecJ gwpsSNevWCzbviKQ8yRLUCmwK+oAQZFgoAbwWCZXEJywkQdy0WHjXNS4FHFAAAAAAAHgAgc2F sdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEIJSOxuw2y/UJmg5M3BLpN0JYjODZpXiEVFu 1byARzMWIQR0vATEPYYIS+hnLAZ3LRYeNc1LgQAAsH8BAKg1C5LK/D7pSkXCD+jfTSP+CqM58 iHLjh4vKhpOKsTJAQCHldtEjxJ1ksPTFgG9HihHH7qc6/wvvLw77ETMpwlrAxYhBNR3BAxwwh VqXCmFSbt+kQFJXmv3BQJlp1+rBQkCF4lgAAoJELt+kQFJXmv3ydsA/2roQZ2Jm/7iUrg/2C5 ClWA/xbvPC31LyMkGGH2/rq8tAP9BgqLuCPnNTVPqeX9+9qqMmaFq7wmvjq5I+yycAw9CDc44 BGVxCcsSCisGAQQBl1UBBQEBB0BZMsRrRaaeFSYMF1ZdfRmVgBriDUIr99eDQ085BK14DgMBC AfCwAYEGBYKAG5HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnsazAWX tEHUPmSTmcRZAIsAsNiO8k0hdjsfRlRVipgJgCmwwWIQTUdwQMcMIValwphUm7fpEBSV5r9wU CZadfqwUJAheJYAAKCRC7fpEBSV5r90AjAPwLgY1iKiFJEj32SVD5f721929l79VxQB5FlQss x1n5kQEA6Uct2tPvbB6T7p5KG3Gl+tbi7oJAuxFmpkpW5/N2Owg=
Date: Wed, 06 Mar 2024 18:27:50 -0500
Message-ID: <87zfvbaqkp.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Y-lvETvW1zQMIbuJDbp6UG-MhAY>
Subject: Re: [openpgp] on the risks of pubkey codepoint parameterization [was: another suggestion for a way fwd with hybrid sigs]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 23:28:04 -0000
On Wed 2024-03-06 12:37:45 +0000, Daniel Huigens wrote: > My only caution would be that, if we commit to only having one code > point in advance, folks might be tempted to use it for two security > levels of ML-DSA (if they feel that we need both, which I'm personally > not sure is the case) by parameterizing the code point, which I would > prefer not to do. As soon as you said this, i started thinking "hm, if it came to that, what would be the best way to parameterize this?" ha ha, the exact opposite of what you wanted to happen :P But i share your instinct that parameterized pubkey codepoints are not a great idea. So, i turned my line of inquiry into *why* parameterized pubkey codepoints seem problematic. The answers i came up with (in a personal capacity, not wearing a chair hat) are below. I hope folks will critique or correct them! # Parameterized Pubkey Codepoints in OpenPGP Many OpenPGP pubkey algorithm codepoints are parameterized. For example, RSA (pubkey ID 1), ElGamal (16), and DSA (17) can have arbitrary sizes, up to the size limit of the MPI format. This can be seen as a sort of simple size-based parameterization. ECDSA (19), ECDH (18), and EdDSALegacy (22) are each parameterized internally by OID, yielding even more potential variation than size, depending on how the OIDs are characterized. For example, ECDH with Curve25519Legacy behaves differently (e.g., has different wire format) than ECDH with BrainpoolP256r1. The more recently defined pubkey codepoints (X25519 (25), X448 (26), Ed25519 (27) and Ed448 (28)) are not parameterized at all. each codepoint represents a single, unique algorithm. # Concerns About Parameterized Pubkeys in OpenPGP What specifically are the drawbacks to parameterized public key algorithms in OpenPGP? ## Interoperability/Compatibility It is difficult to know whether any given implementation fully supports a parameterized public key algorithm. For size-based parameterization, https://tests.sequoia-pgp.org/#RSA_key_sizes demonstrates a wide range of acceptance/rejection across different implementations. The OID-based parameterization of ECDH, ECDSA, and EdDSALegacy codepoints make it impossible to know for certain whether any particular algorithm or curve is supported. For example, knowing that my recipient's implementation can do ECDH doesn't help me at all with knowing whether any particular curve is supported. ## Cross-algorithm Weak Context The stream of octets hashed for an OpenPGP signature (see the "Computing Signatures" section in RFC 4880 and draft-ietf-openpgp-crypto-refresh) explicitly contains the signature algorithm octet, but does not contain any parameterization indicator. If you consider two signing keys from algorithms that have different algorithm IDs, those keys will never sign the same bytestream, because there is one octet in the bytestream that identifies the algorithm ID. But for two keys that share the same algorithm ID, but use actually different algorithms, to the extent that any cross-algorithm confusion is possible, the stream of bytes hashed cannot be used to explicitly differentiate the algorithmic context. I tried to do a comparable analysis on pubkey encryption, and stumbled a bit. When encrypting with PKESK (either v3 or v6), i don't see a way that the specific pubkey algorithm ID is folded into any stages of the wrapping of the session key, with the exception of ECDH, which explicitly puts the ECDH algorithm ID into the KDF function used to derive the key for AES keywrap. ECDH also includes the parameterization itself (by means of the curve OID) in the KDF for the keywrap. non-parameterized X25519 and X448 differentiate themselves from each other not by algorithm ID, but by algorithm-specific strings in the HKDF info parameter. As a result, I'm not sure whether there are ways to abuse the missing context in pubkey encryption algorithms. And, cross-algorithm attacks are themselves pretty arcane. I don't think i know of a specific real-world attack. ## Multidimensional Parameterization In some cases, the parameterization isn't just size or arbitrary OID, but actual flexible, "choose one from column A, one from column B, and one from column C" multidimensional parameterization. For example, the KDF parameterization of ECDH leaves room to choose a hash function for the KDF and a symmetric cipher for the KEK. (as of the crypto-refresh, this flexibility is deprecated, and specific choices are bound to the curve OID for v6 encryption-capable ECDH keys) Multidimensional parameterization is a bad idea because it lets the generator make mismatched choices (e.g., KDF hash algo SHA2-224 and KEK symmetric algo AES-256) or bizarre combinations (RIPEMD-160 with Camellia-256) which might not have sufficiently widespread support. Furthermore, as the dimensions increase, test suites are obliged to deal with a combinatorial explosion of options if they want to confirm full coverage. What else have i missed in this analysis? What have i gotten wrong? --dkg
- [openpgp] another suggestion for a way fwd with h… Stephen Farrell
- Re: [openpgp] another suggestion for a way fwd wi… Daniel Huigens
- Re: [openpgp] another suggestion for a way fwd wi… Stephen Farrell
- Re: [openpgp] another suggestion for a way fwd wi… Orie Steele
- Re: [openpgp] another suggestion for a way fwd wi… Orie Steele
- Re: [openpgp] on the risks of pubkey codepoint pa… Daniel Kahn Gillmor
- Re: [openpgp] another suggestion for a way fwd wi… Andrew Gallagher
- Re: [openpgp] another suggestion for a way fwd wi… Stephen Farrell
- Re: [openpgp] another suggestion for a way fwd wi… Falko Strenzke
- Re: [openpgp] another suggestion for a way fwd wi… Stephen Farrell
- Re: [openpgp] on the risks of pubkey codepoint pa… Justus Winter