Re: [openpgp] v5 fingerprints in ECDH

Paul Wouters <paul@nohats.ca> Sun, 28 February 2021 17:15 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA11D3A1970 for <openpgp@ietfa.amsl.com>; Sun, 28 Feb 2021 09:15:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RltrH2VJKco5 for <openpgp@ietfa.amsl.com>; Sun, 28 Feb 2021 09:15:19 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E841B3A196D for <openpgp@ietf.org>; Sun, 28 Feb 2021 09:15:18 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4DpVQD4k0Fz36p; Sun, 28 Feb 2021 18:15:16 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1614532516; bh=zk2gI1bgAfafVtd2qyP+LKLW/X3uTwIM7aUws5LBEZw=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=aWcn61gb7/l1LHh5MXwXMCGStic2sofoq+Mxx9OYY9s91Ext5Dyrt4jih6dg9V0N+ jgJPQjpHKQH3ZSyCajHkPme/Y7rIwE5DkurfbRfmzDp29kDH19fb4kQ5+Y7vaBpeqE +6d/SZIaBsq7ZvEbZO9b2NwgL0DLgMmBFibyTLNo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Hn0LCpjXKIF4; Sun, 28 Feb 2021 18:15:15 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 28 Feb 2021 18:15:14 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id C164A6029B62; Sun, 28 Feb 2021 12:15:13 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B8CC266B1E; Sun, 28 Feb 2021 12:15:13 -0500 (EST)
Date: Sun, 28 Feb 2021 12:15:13 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
cc: openpgp@ietf.org
In-Reply-To: <YDrSURVzasNsCV/S@camp.crustytoothpaste.net>
Message-ID: <9a245468-60f4-df3b-c0e6-5ffc93c1a630@nohats.ca>
References: <7d8bdda1-4e5c-6c10-f3cd-1d191fad595c@nohats.ca> <YDrSURVzasNsCV/S@camp.crustytoothpaste.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/bYstQNOb_pamjj_36e1A7TfLGtg>
Subject: Re: [openpgp] v5 fingerprints in ECDH
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2021 17:15:21 -0000

On Sat, 27 Feb 2021, brian m. carlson wrote:

> I noticed for v5 fingerprints we hash only the left 20 octets in the
> ECDH KDF:
>
>  20 octets representing a recipient encryption subkey or a master
>  key fingerprint, identifying the key material that is needed for
>  the decryption.  For version 5 keys the 20 leftmost octets of the
>  fingerprint are used.
>
> Absent a compelling reason, I'd prefer to see the entire fingerprint
> used.  It doesn't make sense to define a fingerprint that's 32 octets
> and then truncate it to 20 octets in some cases.  At that point, we're
> relying on the collision resistance of a different algorithm, not
> SHA-256, and decreasing the security level to below 128 bits.
>
> Note that if we do this, we'll need to update the text above and below
> to reflect that the sizes are not invariant.

I think whether or not this change can still be made depends on what has
already been implemented. That is, are we describing what is already out
there, or is this something new. If it is new, than this issue is worth
getting consensus on.

Can implementors share some light on this?

Does anyone remember the origin of only using 20 octets and not all
octets?

Paul