Re: [openpgp] Disadvantages of Salted Signatures

Andrew Gallagher <andrewg@andrewg.com> Sat, 09 December 2023 14:31 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F3CBC14F60A for <openpgp@ietfa.amsl.com>; Sat, 9 Dec 2023 06:31:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DouLn2wxv9XK for <openpgp@ietfa.amsl.com>; Sat, 9 Dec 2023 06:31:54 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46EC7C14F5E7 for <openpgp@ietf.org>; Sat, 9 Dec 2023 06:31:53 -0800 (PST)
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by fum.andrewg.com (Postfix) with ESMTPSA id 1AF3A5ED73; Sat, 9 Dec 2023 14:31:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1702132309; bh=7Xl45PG7OvXHYj/lp2G82oXBzNeSnhQwHcu+j1i3Rfo=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=vVgS9NNx9jCV/yiddQc09ZjQYTm2QpmGKH/ppyd3TA0wu7CHiYN4ZPImJ9VeyStNy ccy9H4pGs/Kwk3bj2Pq+YnOzbVWdr/iP0RBfR81HfkMFv1GnvvjAMrg8xUda05qPh+ GoM+aDsYZPE5mag3BhoWdCdkymPIDhuykYzbWtLLwbBa54hl0K3kawlx5N3cS6BWlA sIHLrLUkslwxc9Invrg3Aj7ZikXznOZ+EPdm0APZm1aVORKtGx9L6xLGQ4f2l37O9m b2ZIqr/3O3ytxwyis1B6/IEuvSPZjcN569SCqorybLa1J9ZcJyIIEe7wB3TdT3S/w/ nwHSHCh3CDBgw==
From: Andrew Gallagher <andrewg@andrewg.com>
Message-Id: <419B4D4B-3CAE-42F6-9ECC-1EC6EACE9157@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_02ABBF03-15DA-45FD-A920-53D612733F2F"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Sat, 09 Dec 2023 14:31:31 +0000
In-Reply-To: <87fs0br1zj.fsf@kaka.sjd.se>
Cc: "Neal H. Walfield" <neal@walfield.org>, Stephan Verbücheln <verbuecheln@posteo.de>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, "openpgp\\\\@ietf.org" <openpgp@ietf.org>
References: <077dd27cef0c7d3968967fc4c3a880081b8bd9dd.camel@posteo.de> <87wmtna9pb.wl-neal@walfield.org> <87fs0br1zj.fsf@kaka.sjd.se>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/eRTvzYLPJ7Jv6wQiUMxFBeTz8pQ>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Dec 2023 14:31:58 -0000

On 9 Dec 2023, at 12:31, Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org> wrote:
> 
> There is no reason a more
> OpenPGP-aware smartcard couldn't take all inputs and generate the random
> salt on board.

Would it be a sufficient mitigation then, to forbid such a (IIRC theoretical) blackbox implementation?

The important security property here is surely that the key owner can be confident of the correctness of their RNG, which is a basic assumption of most cryptography systems. If the key owner cannot trust their RNG, are there not multiple other weak points?

A