[openpgp] Re: pure vs. pre-hash in FIPS 204 and 205

Andrew Gallagher <andrewg@andrewg.com> Thu, 29 August 2024 17:46 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2104C14F5EC for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 10:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Md1pCyXx-TMj for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 10:46:49 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F081C14F5F8 for <openpgp@ietf.org>; Thu, 29 Aug 2024 10:46:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1724953607; bh=oMrzJI1N90x5o1YIIMkqUsW04lA2FbrRT0EbcEsZmM0=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=qs/in76fHkRqFrrEfnw4Jj5tCd6YzUHMwPBWX/Uoho54Ys7a0FBbwFFe4LYH+j5EQ uuTorfJ+DUIrulHzt1XTZ7TuQr+oCWh/gKgr7y/G3UzzYDpxI48/8toR0gQv5ZJDrh 9d5b2KQ5tEwCVzbKVIDlo78obCRPSBRX/chNG/dDqtHvORH7D42amwbgQRtFHmuC5P TVgm/KeBoXgC/J7znFXbLTqv0K1CfKGsPv67Vb97RRJ8ozD4ybf8nyxUVg7Ga6O/53 c21wktRkgs2LVAJYIuCDV2jIm0G97+H8HrX8aGmNaUvxJNhKzVHIvHPXH4yKxnVGQ+ KLClMShF3PfuA==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id DA0DD5E34C; Thu, 29 Aug 2024 17:46:46 +0000 (UTC)
From: Andrew Gallagher <andrewg@andrewg.com>
Message-Id: <2027BD57-D6E2-400B-9AA3-8E444FE5372A@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_A301185E-5097-454B-B948-E347BA27E3E7"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
Date: Thu, 29 Aug 2024 18:46:21 +0100
In-Reply-To: <CAMm+Lwh-9yuEs7BYpsA-k9bKWZT8v7ws8BPMdtECj+DgOG6syw@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <fb9f748b-2024-4de1-849a-e52880c9a241@mtg.de> <CAMm+Lwh-9yuEs7BYpsA-k9bKWZT8v7ws8BPMdtECj+DgOG6syw@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Message-ID-Hash: CSNZQ6J2TQRRGE5CLVXG4FO7U4U4ECNT
X-Message-ID-Hash: CSNZQ6J2TQRRGE5CLVXG4FO7U4U4ECNT
X-MailFrom: andrewg@andrewg.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Falko Strenzke <falko.strenzke@mtg.de>, "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/hWKvV_MdgPJ-KpzlrdbDfgCCke0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

On 29 Aug 2024, at 17:21, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> 
> I am also committed to hash-then-encrypt. It is the structure we adopted long ago and I don't see a good argument for changing. If we have a 1TB Zip file and it already has a SHA-2-512 digest in the checksum, we want to use that, not compile another digest. And I think we should use the same approach for certificates and assertions.

I don’t understand this. Do you mean hash-then-sign? And if so, I’m not sure how a zipfile checksum is relevant…?

> The manifest approach is actually superior though. Especially for OpenPGP because we should be signing the content metadata and not just the content. A semantic substitution attack is a much bigger threat than digest. Constructing a digest is very hard, constructing a PDF that reads as a legitimate JPEG is just hard and I can't remember which flip they did but I am pretty sure I remember an attack of that type.

IMO if we want to sign content metadata in a standardised way it should be done at the OpenPGP layer, via e.g. signature subpackets as we have discussed previously. This way, it is handled independently of the underlying signature algorithms. I don’t think combining these two problems makes either one easier to solve.

A