Re: [openpgp] [PATCH] RFC4880bis: Argon2i

ianG <iang@iang.org> Sun, 08 November 2015 10:49 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 017EB1A899F for <openpgp@ietfa.amsl.com>; Sun, 8 Nov 2015 02:49:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oAj0gB6ULBw for <openpgp@ietfa.amsl.com>; Sun, 8 Nov 2015 02:49:41 -0800 (PST)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF0911A8986 for <openpgp@ietf.org>; Sun, 8 Nov 2015 02:49:40 -0800 (PST)
Received: from tormenta.local (iang.org [209.197.106.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id A81DB6D731; Sun, 8 Nov 2015 05:49:39 -0500 (EST)
To: openpgp@ietf.org
References: <5623AA95.4060903@googlemail.com> <874mh3q3ol.fsf@alice.fifthhorseman.net> <56382F70.5000501@iang.org> <56385A38.6000707@googlemail.com>
From: ianG <iang@iang.org>
Message-ID: <563F28C2.4040508@iang.org>
Date: Sun, 8 Nov 2015 10:49:38 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <56385A38.6000707@googlemail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/dMe0V32bm2Z__0cmZfAAuqMwdVA>
Subject: Re: [openpgp] [PATCH] RFC4880bis: Argon2i
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Nov 2015 10:49:42 -0000

On 3/11/2015 06:54 am, Nils Durner wrote:
> Hi Ian,
>
>> I agree with all the rest, but can we also deprecate some old stuff as
>> well?
>>
>> Can we construct a plan e.g., that no existing S2K be used with new
>> keys and the new form not be used with old keys?
>
> I have made salt-based methods mandatory in my patch:
>> +Implementations MUST generate S2K specifiers that include salts
>> +(either type 2, 3 or 4), as simple S2K specifiers are more vulnerable to
> (type 2 should actually be "type 1")
>> +dictionary attacks. Use of Argon2i is RECOMMENDED as it offers
>> +protection against massive-parallel and side-channel attacks. When
>> +reading S2K specifiers that do not include salts, implementations SHOULD
>> +issue a warning about potentially insecure methods being used. When
>> +reading S2K specifiers other than Argon2i, implementations SHOULD issue
>> +a warning about outdated methods being used.
>
> We can of course raise the bar by excluding types 1 & 3 entirely.


That's what I would do.  Mode 4 is the only produced option in the new 
format.

  + Implementations MUST write in Argon2i and SHOULD read old formats.

Implementations will of course offer options to add back in 0,1,3, 
especially where the reading code is stuck on old format, and the 
writing code is new format.

But they won't be compliant.  And we can ostracise them accordingly, 
tell them they're using worse than MD5 and they're to blame for global 
warming and bad coffee.

iang