Re: [openpgp] OpenPGP SEIP downgrade attack

Werner Koch <wk@gnupg.org> Thu, 08 October 2015 16:21 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26C4E1A9103 for <openpgp@ietfa.amsl.com>; Thu, 8 Oct 2015 09:21:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y08qua_uZDyr for <openpgp@ietfa.amsl.com>; Thu, 8 Oct 2015 09:21:06 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A362E1A90F9 for <openpgp@ietf.org>; Thu, 8 Oct 2015 09:21:06 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1ZkDwG-0000Yh-SL for <openpgp@ietf.org>; Thu, 08 Oct 2015 18:21:04 +0200
Received: from wk by vigenere.g10code.de with local (Exim 4.84 #3 (Debian)) id 1ZkDtZ-00018Q-5L; Thu, 08 Oct 2015 18:18:17 +0200
From: Werner Koch <wk@gnupg.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <56128436.40607@assured.se> <87y4fh4210.fsf@vigenere.g10code.de> <9A043F3CF02CD34C8E74AC1594475C73F4B28383@uxcn10-5.UoA.auckland.ac.nz> <87k2r04hak.fsf@vigenere.g10code.de> <9A043F3CF02CD34C8E74AC1594475C73F4B2C5B4@uxcn10-5.UoA.auckland.ac.nz> <87si5m1ncm.fsf@vigenere.g10code.de> <9A043F3CF02CD34C8E74AC1594475C73F4B2D532@uxcn10-5.UoA.auckland.ac.nz>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=F2AD85AC1E42B367; url=finger:wk@g10code.com
Mail-Followup-To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "cfrg\@mail.ietf.org" <cfrg@mail.ietf.org>, Jonas Magazinius <jonas.magazinius@assured.se>, "cryptography\@metzdowd.com" <cryptography@metzdowd.com>, "openpgp\@ietf.org" <openpgp@ietf.org>
Date: Thu, 08 Oct 2015 18:18:17 +0200
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B2D532@uxcn10-5.UoA.auckland.ac.nz> (Peter Gutmann's message of "Thu, 8 Oct 2015 14:59:15 +0000")
Message-ID: <877fmx1ghi.fsf@vigenere.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/gAPnZgCtjXNpHvl_hiXogcBrtsg>
Cc: "cfrg@mail.ietf.org" <cfrg@mail.ietf.org>, Jonas Magazinius <jonas.magazinius@assured.se>, "cryptography@metzdowd.com" <cryptography@metzdowd.com>, "openpgp@ietf.org" <openpgp@ietf.org>
Subject: Re: [openpgp] OpenPGP SEIP downgrade attack
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 16:21:08 -0000

On Thu,  8 Oct 2015 16:59, pgut001@cs.auckland.ac.nz said:

> (It's also not clear whether someone encrypting a 10k email message with PGP
> is going to notice it being processed at 100MB/s or 150MB/s).

I heard of backups somewhat larger than that.  For mail it is anyway not a
problem - you sign and encrypt and you are done.  Not even a need for an
MDC.

> (I actually really like OCB and don't like GCM much, but the patent situation
> makes it pretty problematic).

Well, for the majority of uses cases there is a gratis license grant
from Phil Rogaway for his patents.
Further daft-zauner-tls-aes-ocb-03.txt states:

   6.  Intellectual Propery Rights Issues

   Historically OCB Mode has seen difficulty with deployment and
   standardization because of pending patents and intellectual rights
   claims on OCB itself.  In preparation of this document all interested
   parties have declared they will issue IPR statements exempting use of
   OCB Mode in TLS from these claims.  Specifically - OCB Mode as
   described in this document for use in TLS - is based, and strongly
   influenced, by earlier work from Charanjit Jutla on [IAPM].

At IETF-93 this case was mentioned and it was suggested to ask for a
similar licenses exception [1,2] if we consider to use OCB for OpenPGP.


Salam-Shalom,

   Werner


[1] https://datatracker.ietf.org/ipr/2647/
[1] https://datatracker.ietf.org/ipr/2640/

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.