[openpgp] Re: session key length with SEIPDv2
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 09 October 2024 14:55 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D45D6C165518 for <openpgp@ietfa.amsl.com>; Wed, 9 Oct 2024 07:55:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="EB9AuWDU"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="XWyaM6jh"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54AhE_fUlIwL for <openpgp@ietfa.amsl.com>; Wed, 9 Oct 2024 07:55:09 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A316C14F726 for <openpgp@ietf.org>; Wed, 9 Oct 2024 07:55:09 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1728485706; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=i684FXsigvYqGWnm2CYeUjG3fmxlb+g20//4PALWQS4=; b=EB9AuWDU2LC9Pev/Ee4/aUN/11PwQH35BNnLkPl9I7SDNB+FC+ib990NWtwvIJk4v+0tY pGyOStJIvs6NU1kCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1728485706; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=i684FXsigvYqGWnm2CYeUjG3fmxlb+g20//4PALWQS4=; b=XWyaM6jhTbyabSJA0IIUKm84g+1c0/npB1x0aaht9W2ylXO5Z2y8Kzo+2T7qOHZ8HqQvg p+lI3gULT9yixrjLPl0pCk2wLgVytRSktbZj72GdsuFFcI555VIVh1M5iSjEP1PpmA4FD7r ZbPytcDvNRG4cLXOZ+IqzuS/hkICs91JKmcjyV6bPzdvRcnvOtU/fwbtABNNJiA777uRN4E yJb9o48R4oYQ9CTArmHtHaRzwqmDGtQYWP7RjYMsTDvgHeUTfj9CzcnZlIMVWsZksJeT3+G fJN3j9sg0kNz7AY4UixHPk0QJ5ockJ0iBUC1XLHTZNjhwOlAZNyELBTRlMoQ==
Received: from fifthhorseman.net (AMERICAN-CI.ear2.NewYork6.Level3.net [4.59.214.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 0CC79F9B1; Wed, 9 Oct 2024 10:55:03 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id D65A213F67F; Wed, 09 Oct 2024 09:27:17 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Falko Strenzke <falko.strenzke@mtg.de>, openpgp@ietf.org
In-Reply-To: <cd727941-b547-4ef2-9e3c-609e93e1f3ab@mtg.de>
References: <93b25cce-e9f7-40a7-881f-b81e3033e7b7@posteo.de> <HvPoeoRKHGaIbIcV2cwKvnY8uVH6UqJ2PUAlBu1AFmyr6plq6RNUGqQNKZE9RllDHSdDsmuPmTJeP-BX93cALBiNITsIg40HMFPPcy3Z_dQ=@protonmail.com> <87o73z7pwy.fsf@fifthhorseman.net> <WbuzsNz4I_wBvXGTTrh2mD0r5aAKVye2mZynPySokMkx3djh8a8Ad9GPbbFrAcc74REmwNmrH4trBmjJREDtfpVCdKOsI_PPz34hf2idEuM=@protonmail.com> <87ldyy7lwy.fsf@fifthhorseman.net> <cd727941-b547-4ef2-9e3c-609e93e1f3ab@mtg.de>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/YO+5Zi7HCi QQfFgoAMQWCZadnIAUJBdtHCwMLCQcDFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu36RAUlea/ cACgkQu36RAUlea/edDQD+M2QjnoEyu/TjI+gRXBpXQ5jCsnnp9FdYhaSSUW/vZ8kBAJByWlj A9aMfVaVrmvgcYw7jzJz+gmZspBRB++5LZ20NzRc8ZGtnQGZpZnRoaG9yc2VtYW4ubmV0PsLA EQQTFgoAeQMLCQdHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEu/CS CeyWwC6j4ihJr2u/z6delsF1pvYW3ufgf1L538DFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu3 6RAUlea/cFAmWnX5AFCQXZ8EUACgkQu36RAUlea/cjVwD+ONjdHM74rAa6EEiiqaPjlptiaZx CVqFYXnib6EbZARkBAPnnR8pW8vCBnDXHKu65jNqwF3aH761NaOqqMFfppg8GzjMEZXEJyxYJ KwYBBAHaRw8BAQdAjX25Fq2Q9IUFeHy6yByIQPBnFOedFliuEiCIUzJsENDCwMUEGBYKAS1HF AAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnwqKWsw56uoWVLIFcs7ZecJ gwpsSNevWCzbviKQ8yRLUCmwK+oAQZFgoAbwWCZXEJywkQdy0WHjXNS4FHFAAAAAAAHgAgc2F sdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEIJSOxuw2y/UJmg5M3BLpN0JYjODZpXiEVFu 1byARzMWIQR0vATEPYYIS+hnLAZ3LRYeNc1LgQAAsH8BAKg1C5LK/D7pSkXCD+jfTSP+CqM58 iHLjh4vKhpOKsTJAQCHldtEjxJ1ksPTFgG9HihHH7qc6/wvvLw77ETMpwlrAxYhBNR3BAxwwh VqXCmFSbt+kQFJXmv3BQJlp1+rBQkCF4lgAAoJELt+kQFJXmv3ydsA/2roQZ2Jm/7iUrg/2C5 ClWA/xbvPC31LyMkGGH2/rq8tAP9BgqLuCPnNTVPqeX9+9qqMmaFq7wmvjq5I+yycAw9CDc44 BGVxCcsSCisGAQQBl1UBBQEBB0BZMsRrRaaeFSYMF1ZdfRmVgBriDUIr99eDQ085BK14DgMBC AfCwAYEGBYKAG5HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnsazAWX tEHUPmSTmcRZAIsAsNiO8k0hdjsfRlRVipgJgCmwwWIQTUdwQMcMIValwphUm7fpEBSV5r9wU CZadfqwUJAheJYAAKCRC7fpEBSV5r90AjAPwLgY1iKiFJEj32SVD5f721929l79VxQB5FlQss x1n5kQEA6Uct2tPvbB6T7p5KG3Gl+tbi7oJAuxFmpkpW5/N2Owg=
Date: Wed, 09 Oct 2024 09:27:17 -0400
Message-ID: <87ed4p76fe.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Message-ID-Hash: 6L2QMEDQ2UDGLFT5HQPNTURJFU5NXRP6
X-Message-ID-Hash: 6L2QMEDQ2UDGLFT5HQPNTURJFU5NXRP6
X-MailFrom: dkg@fifthhorseman.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [openpgp] Re: session key length with SEIPDv2
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/aT-Xnylq8GevajgLvU45reDWQqY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
On Tue 2024-10-08 16:45:02 +0200, Falko Strenzke wrote: > Suggesting that the consumer rejects shorter data encryption keys in > the errata seems prone to cause interoperability errors with producers > that interpret the spec differently. Do we know of any producers that interpret the spec differently today by using shorter session keys? > They might for instance always produce 256 bit session keys even when > using AES 128 for the payload encryption. Sure, they *might*, but does anyone? now is the time to produce clear guidance to make sure the expectations are widely understood. Do you object to the MUST requirement on producers that Daniel Huigens proposed? > In my view the consumer guidance should state that a warning or error > SHOULD be issued if an existing requirement for the security level is > violated by either the size of the session key or that of the data > encryption key – rather than checking only the size of one of them. It sounds like you're saying that there is an additional thing -- besides the session key -- that can be mis-sized (and is underspecified in RFC 9580). What do you mean by "the data encryption key" in this context? If you mean the output of the KDF during PKESKv6/SKESKv6 consumption, isn't that size explicitly determined by the symmetric algorithm in the SEIPDv2 packet? Under what circumstance might it be sized differently? > The real risk seems to be that when trying to enforce a certain > security level, an implementation might make the error of just > checking the size of the session key, because of the two keys that is > the one that has existed so far. Can you translate this into explicit guidance that you think should have been included in RFC 9580? --dkg
- [openpgp] session key length with SEIPDv2 Heiko Schäfer
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Justus Winter
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor