Final comments on draft-ietf-openpgp-2440bis

[Sam Hartman <hartmans-ietf@mit.edu>]

Hi.

Previously I had passed along two comments on the openpgp spec to the chair:

* Concerns about the MDC

* A desire for an IANA section.

I'm evaluating the response to my concerns about the MDC.  It's
definitely true that I did not think through the use of the MDC in
detail, although even after doing so, I'm still uncomfortable.
I'm trying to talk to other security experts and get a second opinion; expect to hear back from me on this issue within a few days.

I'm working the IANA issue with the chair.

I have two minor comments about the security considerations section;
these comments will round out my review of the spec.

1) random oracle is used instead of oracle every time the word oracle
    is used.  An oracle is a construct with special computational
    ability (access to a key, access to extra storage, ability to
    perform long-running operations in one time step) that is useful
    in analysis of computability, complexity or security
    constructions.  A random oracle is an oracle that has a random
    function in it and exposes this function.

2) RFC 1750 is obseleted.  Please update to  4086.



thanks much,

--Sam





Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8T0f4MW058355; Thu, 28 Sep 2006 17:41:04 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8T0f4US058354; Thu, 28 Sep 2006 17:41:04 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8T0f314058346 for <ietf-openpgp@imc.org>; Thu, 28 Sep 2006 17:41:04 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 4E7D9E0128; Thu, 28 Sep 2006 20:40:48 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: ietf-openpgp@imc.org
Subject: Final comments on draft-ietf-openpgp-2440bis
Date: Thu, 28 Sep 2006 20:40:48 -0400
Message-ID: <tslhcyrfqsv.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Hi.

Previously I had passed along two comments on the openpgp spec to the chair:

* Concerns about the MDC

* A desire for an IANA section.

I'm evaluating the response to my concerns about the MDC.  It's
definitely true that I did not think through the use of the MDC in
detail, although even after doing so, I'm still uncomfortable.
I'm trying to talk to other security experts and get a second opinion; expect to hear back from me on this issue within a few days.

I'm working the IANA issue with the chair.

I have two minor comments about the security considerations section;
these comments will round out my review of the spec.

1) random oracle is used instead of oracle every time the word oracle
    is used.  An oracle is a construct with special computational
    ability (access to a key, access to extra storage, ability to
    perform long-running operations in one time step) that is useful
    in analysis of computability, complexity or security
    constructions.  A random oracle is an oracle that has a random
    function in it and exposes this function.

2) RFC 1750 is obseleted.  Please update to  4086.



thanks much,

--Sam



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8MCf8nK042123; Fri, 22 Sep 2006 05:41:08 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8MCf8g2042122; Fri, 22 Sep 2006 05:41:08 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8MCf5du042113 for <ietf-openpgp@imc.org>; Fri, 22 Sep 2006 05:41:06 -0700 (MST) (envelope-from markokr@gmail.com)
Received: by nf-out-0910.google.com with SMTP id o60so1055945nfa for <ietf-openpgp@imc.org>; Fri, 22 Sep 2006 05:41:05 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=T3RcVcsfilDDPyjLtB2AvszwYGHYUiLeVmQJJgAVopQjlr5n1pS4IMz8XYDYWZuHpkEg4h/Z7uEeMc98acbP+9/mfnjF7mbcplFINsdZFtf2ZX+aFBlFyFNVcDbMAdGaAafCIGp0ZGBw0VmrJ7zO7rDr9YHanKQ8Snsg3sOs9so=
Received: by 10.49.8.1 with SMTP id l1mr1918809nfi; Fri, 22 Sep 2006 05:41:04 -0700 (PDT)
Received: by 10.49.65.12 with HTTP; Fri, 22 Sep 2006 05:41:04 -0700 (PDT)
Message-ID: <e51f66da0609220541p47ed73ecke4d5599114f1eff2@mail.gmail.com>
Date: Fri, 22 Sep 2006 15:41:04 +0300
From: "Marko Kreen" <markokr@gmail.com>
To: "Werner Koch" <wk@gnupg.org>
Subject: Re: [Sam Hartman] Openpgp comments
Cc: "Anton Stiglic" <astiglic@okiok.com>, "Daniel A. Nagy" <nagydani@epointsystem.org>, OpenPGP <ietf-openpgp@imc.org>
In-Reply-To: <874pv24sey.fsf@wheatstone.g10code.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20060920115146.9E8981683A9@mail.okiok.com> <874pv24sey.fsf@wheatstone.g10code.de>
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On 9/20/06, Werner Koch <wk@gnupg.org> wrote:
> On Wed, 20 Sep 2006 13:40, Anton Stiglic said:
> > NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224,
> > SHA-256, SHA-384 and SHA-512.
> > http://csrc.nist.gov/hash_standards_comments.pdf
> >
> > In Canada, CSE will phase out SHA-1 for protected C information by 2008.
>
> A note to describe why we use SHA-1 with the MDC would really be
> appropriate.  We are not using it for authentication but to detect
> manipulation of data.  This is commonly known as a checksum.  Thus,
> the acronym MDC and not MAC.  To me detection and authentication have
> different semantics.
>
> It has been said a few times: The MDC is not what we need to care
> about when thinking of SHA-1 vulnerabilities.  There are other usages
> of SHA-1 we need to rethink.

And that reasoning should be in 2440bis.

I think it's too early to get excited about politics.  The issue is
much simpler - non-experts are in no position to 'evaluate' OpenPGP's
use of SHA-1, they depend on the opinion on experts whether an algorithm
is generally secure.

So if 2440bis wants to appear secure by today's standards (for
general public), it needs to either use generally known safe algorithms
or explicitly document that the weaknesses in older algorithms it uses
are taken account of.

-- 
marko



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KDwBEk097309; Wed, 20 Sep 2006 06:58:11 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8KDwBEo097308; Wed, 20 Sep 2006 06:58:11 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from branwen.iks-jena.de (branwen.iks-jena.de [217.17.192.90]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KDwAS5097301 for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 06:58:11 -0700 (MST) (envelope-from news@branwen.iks-jena.de)
Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.13.8/8.13.1) with ESMTP id k8KDw6dB025136 for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 15:58:08 +0200
X-MSA-Host: branwen.iks-jena.de
Received: (from news@localhost) by branwen.iks-jena.de (8.13.8/8.13.1/Submit) id k8KDw6aL025135 for ietf-openpgp@imc.org; Wed, 20 Sep 2006 15:58:06 +0200
To: ietf-openpgp@imc.org
Path: not-for-mail
From: Lutz Donnerhacke <lutz@iks-jena.de>
Newsgroups: iks.lists.ietf-open-pgp
Subject: Re: [Sam Hartman] Openpgp comments
Date: Wed, 20 Sep 2006 13:58:06 +0000 (UTC)
Organization: IKS GmbH Jena
Lines: 9
Message-ID: <slrneh2i7e.g40.lutz@belenus.iks-jena.de>
References: <874pv24sey.fsf@wheatstone.g10code.de>
NNTP-Posting-Host: belenus.iks-jena.de
X-Trace: branwen.iks-jena.de 1158760686 25059 2001:4bd8:0:666:248:54ff:fe12:ad5f (20 Sep 2006 13:58:06 GMT)
X-Complaints-To: usenet@iks-jena.de
NNTP-Posting-Date: Wed, 20 Sep 2006 13:58:06 +0000 (UTC)
User-Agent: slrn/0.9.8.0 (Linux)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

* Werner Koch wrote:
> I have not heard about any plans to switch to SHA-2.  At least Germany
> is still using RIPME-MD160 out of fear that SHA-1 has been developed
> in the U.S.  I don't think that this algorithm is any better than
> SHA-1 but some people decided in the past to use an European algorithm
> (another layer 9 issue).

With respect to the (not so) recent attacks of hash functions, RIPEMD is a
better choice then just another SHA variant.



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KCrTuF091703; Wed, 20 Sep 2006 05:53:29 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8KCrTPW091702; Wed, 20 Sep 2006 05:53:29 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KCrRj9091696 for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 05:53:28 -0700 (MST) (envelope-from wk@gnupg.org)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1GQ1i4-0006Pp-Cm for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 15:01:52 +0200
Received: from wk by localhost with local (Exim 4.62 #1 (Debian)) id 1GQ1TB-0005kg-Qp; Wed, 20 Sep 2006 14:46:29 +0200
From: Werner Koch <wk@gnupg.org>
To: "Anton Stiglic" <astiglic@okiok.com>
Cc: "'Daniel A. Nagy'" <nagydani@epointsystem.org>, "'OpenPGP'" <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
References: <20060920115146.9E8981683A9@mail.okiok.com>
Organisation: g10 Code GmbH
OpenPGP: id=5B0358A2; url=finger:wk@g10code.com
Date: Wed, 20 Sep 2006 14:46:29 +0200
In-Reply-To: <20060920115146.9E8981683A9@mail.okiok.com> (Anton Stiglic's message of "Wed, 20 Sep 2006 07:40:35 -0400")
Message-ID: <874pv24sey.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.110006 (No Gnus v0.6)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Wed, 20 Sep 2006 13:40, Anton Stiglic said:

> NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224,
> SHA-256, SHA-384 and SHA-512.  
> http://csrc.nist.gov/hash_standards_comments.pdf
>
> In Canada, CSE will phase out SHA-1 for protected C information by 2008.

A note to describe why we use SHA-1 with the MDC would really be
appropriate.  We are not using it for authentication but to detect
manipulation of data.  This is commonly known as a checksum.  Thus,
the acronym MDC and not MAC.  To me detection and authentication have
different semantics.

It has been said a few times: The MDC is not what we need to care
about when thinking of SHA-1 vulnerabilities.  There are other usages
of SHA-1 we need to rethink.

Over the last 8 years since rfc2440 we have talked several times about
things we want to address in the future.  There is actually a long
list.  We can't keep important OpenPGP features - which address actual
vulnerabilities - any longer in an I-D state just for the sake of
getting rid of SHA-1 now.  We need time to address all these items
properly and not do some ad-hoc solutions.  In the meantime 2440bis
needs to get out.  Whether with or without an MDCv2 political option, I
don't care.

> I don't know what is going on in Europe and the rest of the world, but I
> would be surprised if they were going with SHA-1 in the long term.
> You cannot ignore these decisions if you want openpgp to be successful.

I have not heard about any plans to switch to SHA-2.  At least Germany
is still using RIPME-MD160 out of fear that SHA-1 has been developed
in the U.S.  I don't think that this algorithm is any better than
SHA-1 but some people decided in the past to use an European algorithm
(another layer 9 issue).


Salam-Shalom,

   Werner



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KBefRu084556; Wed, 20 Sep 2006 04:40:41 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8KBef1t084555; Wed, 20 Sep 2006 04:40:41 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.okiok.com (host70.okiok.com [207.61.238.70] (may be forged)) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KBedD0084547 for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 04:40:40 -0700 (MST) (envelope-from astiglic@okiok.com)
Received: from P1038Mobile (modemcable188.189-82-70.mc.videotron.ca [70.82.189.188]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.okiok.com (Postfix) with ESMTP id 9E8981683A9; Wed, 20 Sep 2006 07:51:46 -0400 (EDT)
From: "Anton Stiglic" <astiglic@okiok.com>
To: "'Daniel A. Nagy'" <nagydani@epointsystem.org>, "'OpenPGP'" <ietf-openpgp@imc.org>
Subject: RE: [Sam Hartman] Openpgp comments
Date: Wed, 20 Sep 2006 07:40:35 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
In-Reply-To: <20060919231313.GA10365@epointsystem.org>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Thread-Index: AcbcRbod4xVLm9xWSV+FRl3pUEIhwQAY2TaQ
Message-Id: <20060920115146.9E8981683A9@mail.okiok.com>
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224,
SHA-256, SHA-384 and SHA-512.  
http://csrc.nist.gov/hash_standards_comments.pdf

In Canada, CSE will phase out SHA-1 for protected C information by 2008.

I don't know what is going on in Europe and the rest of the world, but I
would be surprised if they were going with SHA-1 in the long term.
You cannot ignore these decisions if you want openpgp to be successful.

--Anton


-----Original Message-----
From: owner-ietf-openpgp@mail.imc.org
[mailto:owner-ietf-openpgp@mail.imc.org] On Behalf Of Daniel A. Nagy
Sent: September 19, 2006 6:13 PM
To: OpenPGP
Subject: Re: [Sam Hartman] Openpgp comments

On Tue, Sep 19, 2006 at 06:55:32PM -0400, David Shaw wrote:

> I'm not against a SHA-256 or 512 based MDC.

This would make encryption/decryption measurably slower, for no benefit
whatsoever. SHA1 provides a comfortable security margin even taking all
recent developments into consideration.

-- 
Daniel



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JNDxBd015221; Tue, 19 Sep 2006 16:13:59 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JNDxqq015220; Tue, 19 Sep 2006 16:13:59 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JNDtQC015199 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 16:13:57 -0700 (MST) (envelope-from nagydani@epointsystem.org)
Received: by mail.epointsystem.org (Postfix, from userid 1001) id A6AD13B2F; Wed, 20 Sep 2006 01:13:13 +0200 (CEST)
Date: Wed, 20 Sep 2006 01:13:13 +0200
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
Message-ID: <20060919231313.GA10365@epointsystem.org>
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de> <20060919144037.GD30748@jabberwocky.com> <45103D0C.3000707@systemics.com> <20060919225532.GC32656@jabberwocky.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua"
Content-Disposition: inline
In-Reply-To: <20060919225532.GC32656@jabberwocky.com>
User-Agent: Mutt/1.5.9i
From: nagydani@epointsystem.org (Daniel A. Nagy)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 19, 2006 at 06:55:32PM -0400, David Shaw wrote:

> I'm not against a SHA-256 or 512 based MDC.

This would make encryption/decryption measurably slower, for no benefit
whatsoever. SHA1 provides a comfortable security margin even taking all
recent developments into consideration.

--=20
Daniel

--SUOF0GtieIMvvwua
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iQDVAwUBRRB5ia6pEulQFnIMAQIEygX+LihxwTWwaA3gfMUT6uR1wa056X4/8jYZ
gqrG1LtdZzqtKuLXjsLu+b92pHFFpiGRBINnYRW9WlsdJaAoT5qHBk1NM/oVO+5n
qFcXf4kK3VbewqdAhP05dPMAyidFo2xv9/+Fl6WJmtmfX4bOOTGtvTjG3836yriS
7XcoQ0o4ChL9KHK1r6Qzl2CaPUcLIYZqr+tKNKX8CEwWBsezCdAMbWwxZdcJgUdF
zo2zD3B5RYdirlY6+ybvRx21TslXKN4F
=tRsH
-----END PGP SIGNATURE-----

--SUOF0GtieIMvvwua--



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMthcx013797; Tue, 19 Sep 2006 15:55:43 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JMthfV013796; Tue, 19 Sep 2006 15:55:43 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMtf66013789 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 15:55:42 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k8JMtdx28849 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 18:55:40 -0400
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.7/8.13.7) with ESMTP id k8JMtbl4024435 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 18:55:37 -0400
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k8JMtXlP000581 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 18:55:33 -0400
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k8JMtWSL000580 for ietf-openpgp@imc.org; Tue, 19 Sep 2006 18:55:32 -0400
Date: Tue, 19 Sep 2006 18:55:32 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
Message-ID: <20060919225532.GC32656@jabberwocky.com>
Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org>
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de> <20060919144037.GD30748@jabberwocky.com> <45103D0C.3000707@systemics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <45103D0C.3000707@systemics.com>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.12 (2006-08-05)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Tue, Sep 19, 2006 at 08:55:08PM +0200, Ian G wrote:

> To my mind, then, it comes down to an optimisation
> problem in determining how to get the doc out the
> door.  Security, common sense, and all that are
> out the window.

I know you're not serious, but if anyone wants to discard "security,
common sense, and all that", then they should really just be silent.

I'm not against a SHA-256 or 512 based MDC.  I'm just noting that this
issue seems to be a misunderstanding between this WG and the ADs, and
it might be nice to know what is going on and ensure we understand
what the objection is before we change the design.

Sam Hartman offered to speak on the phone.  I'd be happy to make that
call, though Jon Callas or Hal Finney would probably be a better
choice.  All I ask for is a 10 minute phone call.  We've already spent
many times that in this discussion.

David



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMkMIj013208; Tue, 19 Sep 2006 15:46:22 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JMkMKr013207; Tue, 19 Sep 2006 15:46:22 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMkKJG013199 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 15:46:21 -0700 (MST) (envelope-from nagydani@epointsystem.org)
Received: by mail.epointsystem.org (Postfix, from userid 1001) id 6F1BB3B2F; Wed, 20 Sep 2006 00:45:38 +0200 (CEST)
Date: Wed, 20 Sep 2006 00:45:38 +0200
To: ietf-openpgp@imc.org
Subject: Re: [Sam Hartman] Openpgp comments
Message-ID: <20060919224538.GA8290@epointsystem.org>
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <20060919023332.GA30748@jabberwocky.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr"
Content-Disposition: inline
In-Reply-To: <20060919023332.GA30748@jabberwocky.com>
User-Agent: Mutt/1.5.9i
From: nagydani@epointsystem.org (Daniel A. Nagy)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 18, 2006 at 10:33:32PM -0400, David Shaw wrote:
>=20
> On Mon, Sep 18, 2006 at 11:02:44AM -0400, Derek Atkins wrote:
>=20
> > The second issue is the encryption with integrity packet.  Today this
> > is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
> > for that and I think we need to support SHA-256 now.
>=20
> Does the MDC actually need collision resistance?  I was under the
> impression that (like the secret key "S2K 254" use of SHA-1) this was
> essentially a checksum and the recent attacks against SHA-1 did not
> apply.

I have just discussed this issue with my students at our cryptography
seminar. The general consensus is that MDCs do not need collision
resistance. Thus, SHA1 is secure with a huge security margin. The recent
weakening of SHA1 means that finding a pre-image takes approx 2^138
attempts, which is still comfortably beyond reach for today's and tomorrow's
technology. Introducing longer hashes would make it slower, while not
improving security. If you insist, I can provide the complete reasoning why
collision-resistance is not required for MDC.

 If anything, I would consider RIPEMD128, as it is faster than SHA1 and
offers about the same level of security while being a bit shorter. But
then again, there's no reason to mess with the standard as it is.

--=20
Daniel

--liOOAslEiF7prFVr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iQDVAwUBRRBzEq6pEulQFnIMAQIV9QX/ajBKkNHLZjR8qB4YeLt814lzY2WdFduz
khK9fL3UvQpO6Ns1YmRx/0gfregqHXxfASGm7N/og78rBFw5YZG36wIf5sMa9kPP
o1ECZO0o0h7Kj/4dF9qxIjDFFpvclfL/ZSVDPdQ1yxTA8yNX2ogIctrHVSh6L2Gm
zg95jJl/pxeQ6Y6Skwv7uYweaAvZqzwWRvDZi3jEityGSKETJPUDg+/P7Jwqqa70
q4Fw7RtAZyuybXBuAHVPxwzOgVY4maP7
=3mtR
-----END PGP SIGNATURE-----

--liOOAslEiF7prFVr--



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JLk23Q009358; Tue, 19 Sep 2006 14:46:02 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JLk2dc009357; Tue, 19 Sep 2006 14:46:02 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JLk00C009349 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 14:46:02 -0700 (MST) (envelope-from jon@callas.org)
Received: from keys.merrymeet.com (keys.merrymeet.com [63.73.97.166]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTP id D32C72A5EA0 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 14:45:59 -0700 (PDT)
Received: from [63.251.255.205] ([63.251.255.205]) by keys.merrymeet.com (PGP Universal service); Tue, 19 Sep 2006 14:45:59 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Tue, 19 Sep 2006 14:45:59 -0700
Mime-Version: 1.0 (Apple Message framework v752.2)
In-Reply-To: <45103D0C.3000707@systemics.com>
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de> <20060919144037.GD30748@jabberwocky.com> <45103D0C.3000707@systemics.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <F79D84DB-C2EB-4F53-B90B-EE52755F5FEE@callas.org>
Content-Transfer-Encoding: 7bit
From: Jon Callas <jon@callas.org>
Subject: Re: [Sam Hartman] Openpgp comments
Date: Tue, 19 Sep 2006 14:45:57 -0700
To: OpenPGP <ietf-openpgp@imc.org>
X-Mailer: Apple Mail (2.752.2)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

I agree with Ian. Remember those t-shirts they used to sell with the  
nine-layer ISO model? Layer 8 is the Financial Layer and Layer 9 is  
the Political Layer. There's an arrow pointing to Layer 9 with the  
message, "You are here."

I think it's worthwhile to have a phone call or perhaps even better a  
Jabber meeting. I'm in other working groups that do semi-regular  
Jabber conferences. A major reason for a Jabber conference is that it  
is my perception that it is the consensus of this working group that  
we disagree with the ADs. I think they need to talk to the working  
group as a whole. Jabber would be great for that.

On the other hand, we're at the political layer, and I'm happy to put  
in a SHA-256 MDC, if that will get us done. Furthermore, it may turn  
out that in five years we'll be happy we did. Heck, it could always  
turn out that SHA-1 isn't one-way enough. OpenPGP has always been  
forward-thinking, and we are known for being more on top of these  
issues than anyone else. Consequently, if we put in a new MDC and say  
that you MAY do it, the implementers don't have to do it until they  
are in the mood. Even if we say SHOULD accept and MAY generate, it's  
a small burden.

I think that coming up with a true replacement for the MDC is work we  
ought to do. It's on my list of things to do post-2440bis. I think  
this gets in the way of that, but if that's what it takes us to  
finish, it's what it takes us to finish.

	Jon



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JIt52A095244; Tue, 19 Sep 2006 11:55:05 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JIt5Mj095243; Tue, 19 Sep 2006 11:55:05 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mailgate.enhyper.net ([80.168.109.121]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JIt3t4095217 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 11:55:04 -0700 (MST) (envelope-from iang@systemics.com)
Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 368532F0D2 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 19:54:57 +0100 (BST)
Message-ID: <45103D0C.3000707@systemics.com>
Date: Tue, 19 Sep 2006 20:55:08 +0200
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Thunderbird 1.5 (X11/20060317)
MIME-Version: 1.0
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de> <20060919144037.GD30748@jabberwocky.com>
In-Reply-To: <20060919144037.GD30748@jabberwocky.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

David Shaw wrote:
> On Tue, Sep 19, 2006 at 03:33:30PM +0200, Werner Koch wrote:
> 
>> The more interesting question is what we are going to do about the
>> SHA-1 requirement for a fingerprint and things like designated
>> revokers - this is a more troublesome use of SHA-1. Oh, sorry, I was
>> just thinking loudly.
> 
> This is exactly my point.  If we reopen the SHA-1 issue for the MDC,
> what stops someone from wanting a change in fingerprints or the secret
> key protection format, or the "hash of last resort" or any of the
> other hardcoded uses of SHA-1 in the standard?


Yes.  But at the end of the day, regardless of
whether we leave the doc as it is, or fix the MDC,
or fix the above things, I'd suggest that the
difference is the same:  minimal.

That is, a far better result is getting the doc
finished and out the door ... partly because this
appears to be a "herding" change of no great
security impact, and partly so we can start on
an updated / rewired / rewritten / reviewed doc.

To my mind, then, it comes down to an optimisation
problem in determining how to get the doc out the
door.  Security, common sense, and all that are
out the window.


> The request to remove SHA-1 from the MDC seems to be just a
> misunderstanding.  It's worth an email to try and resolve the
> misunderstanding before we get into design, much less code, changes.


If you are confident of that, perhaps have a shot
at drafting that email?  As "plan B."

This might leave Jon free to concentrate on the
"plan A" approach of adding MDC-v2,3.

(Just a thought ... I'm not clear enough on the
minutia to be confident enough to draft the email,
myself.)

> A simple email to resolve a misunderstanding seems like the easiest
> "fix" here.  If that doesn't work, or it turns out not to be a
> misunderstanding, then we can go on and do the design changes, no harm
> done.

Perhaps the phone conference as suggested?  I
can see how that might get a result more quickly,
as it allows misunderstandings to be cleared up
more easily than an email cycle.

Just throwing ideas around, here.  Feel free to
ignore.

iang



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JEekN8070242; Tue, 19 Sep 2006 07:40:46 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JEekEg070241; Tue, 19 Sep 2006 07:40:46 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JEejqv070235 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 07:40:46 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k8JEeix25947 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 10:40:44 -0400
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.7/8.13.7) with ESMTP id k8JEeeiX022587 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 10:40:41 -0400
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k8JEecJn032422 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 10:40:38 -0400
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k8JEecw4032421 for ietf-openpgp@imc.org; Tue, 19 Sep 2006 10:40:38 -0400
Date: Tue, 19 Sep 2006 10:40:37 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
Message-ID: <20060919144037.GD30748@jabberwocky.com>
Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org>
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <871wq89e1h.fsf@wheatstone.g10code.de>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.12 (2006-08-05)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Tue, Sep 19, 2006 at 03:33:30PM +0200, Werner Koch wrote:

> The more interesting question is what we are going to do about the
> SHA-1 requirement for a fingerprint and things like designated
> revokers - this is a more troublesome use of SHA-1. Oh, sorry, I was
> just thinking loudly.

This is exactly my point.  If we reopen the SHA-1 issue for the MDC,
what stops someone from wanting a change in fingerprints or the secret
key protection format, or the "hash of last resort" or any of the
other hardcoded uses of SHA-1 in the standard?

The request to remove SHA-1 from the MDC seems to be just a
misunderstanding.  It's worth an email to try and resolve the
misunderstanding before we get into design, much less code, changes.

A simple email to resolve a misunderstanding seems like the easiest
"fix" here.  If that doesn't work, or it turns out not to be a
misunderstanding, then we can go on and do the design changes, no harm
done.

David



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JDcV22065563; Tue, 19 Sep 2006 06:38:31 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JDcVW3065561; Tue, 19 Sep 2006 06:38:31 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JDcRnP065546 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 06:38:29 -0700 (MST) (envelope-from wk@gnupg.org)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1GPfw3-0003uM-Ps for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 15:46:51 +0200
Received: from wk by localhost with local (Exim 4.62 #1 (Debian)) id 1GPfj9-0002lA-5Q for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 15:33:31 +0200
From: Werner Koch <wk@gnupg.org>
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com>
Organisation: g10 Code GmbH
OpenPGP: id=5B0358A2; url=finger:wk@g10code.com
Date: Tue, 19 Sep 2006 15:33:30 +0200
In-Reply-To: <20060919121914.GC30748@jabberwocky.com> (David Shaw's message of "Tue, 19 Sep 2006 08:19:14 -0400")
Message-ID: <871wq89e1h.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.110006 (No Gnus v0.6)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Tue, 19 Sep 2006 14:19, David Shaw said:

> It will take a very long time (at least a year, if not longer) before
> a MDC2 and MDC3 are widely supported, and until then we run the risk

Given all the communication problems we had in the past with other
cryptographers on the use of the MDC, it might indeed be easier to
just add an MDCv2 as a MAY or SHOULD.

Even if we would flag an MDCv2 as a SHOULD feature, we as implementors
may still decide not to use it for a good reason (e.g. performance).
However the IESG rules are satisfied ;-)

The more interesting question is what we are going to do about the
SHA-1 requirement for a fingerprint and things like designated
revokers - this is a more troublesome use of SHA-1. Oh, sorry, I was
just thinking loudly.


Salam-Shalom,

   Werner




Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JCJRh7057005; Tue, 19 Sep 2006 05:19:27 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JCJRlB057004; Tue, 19 Sep 2006 05:19:27 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JCJM5I056997 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 05:19:26 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k8JCJLx25353 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 08:19:21 -0400
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.7/8.13.7) with ESMTP id k8JCJGmm022046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 08:19:16 -0400
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k8JCJFYB032081 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 08:19:15 -0400
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k8JCJE1k032080 for ietf-openpgp@imc.org; Tue, 19 Sep 2006 08:19:14 -0400
Date: Tue, 19 Sep 2006 08:19:14 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
Message-ID: <20060919121914.GC30748@jabberwocky.com>
Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org>
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.12 (2006-08-05)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Mon, Sep 18, 2006 at 05:39:14PM -0700, Jon Callas wrote:

> So -- my question for the WG: Is this alright with you? I want to get  
> 2440bis done. I think that answers the perception that SHA-1 isn't  
> good enough, without causing us to do a lot of work. If y'all think  
> this is good, I'll do it in the next few days.

What troubles me is that this is attempting to fix a perceived problem
that isn't really a problem.  Fixing perceived problems is sometimes
harder than fixing real ones.  For example, if the mere use of SHA-1
is the problem, there are also a number of other places where SHA-1 is
hardcoded (which aren't a problem either) that aren't "resolved" by
this.

It will take a very long time (at least a year, if not longer) before
a MDC2 and MDC3 are widely supported, and until then we run the risk
of interoperability problems.  It probably won't be as bad as some of
the interoperability problems in the past as the preferences and
feature flags are more widely implemented now, but it's still a change
with the usual risks of change.

I suggest we at least push back a little bit, and send your excellent
explanation of the issue to the appropriate people at the IESG.  After
that, if they still want a hash upgrade, I will not object.

David



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8mSNJ035098; Tue, 19 Sep 2006 01:48:28 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J8mSgC035097; Tue, 19 Sep 2006 01:48:28 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8mQda035089 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 01:48:27 -0700 (MST) (envelope-from wk@gnupg.org)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1GPbPP-0001BC-2V for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 10:56:51 +0200
Received: from wk by localhost with local (Exim 4.62 #1 (Debian)) id 1GPbDS-0000Sq-Kb; Tue, 19 Sep 2006 10:44:30 +0200
From: Werner Koch <wk@gnupg.org>
To: Jon Callas <jon@callas.org>
Cc: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org>
Organisation: g10 Code GmbH
OpenPGP: id=5B0358A2; url=finger:wk@g10code.com
Date: Tue, 19 Sep 2006 10:44:30 +0200
In-Reply-To: <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> (Jon Callas's message of "Mon, 18 Sep 2006 17:39:14 -0700")
Message-ID: <8764fkb5zl.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.110006 (No Gnus v0.6)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Tue, 19 Sep 2006 02:39, Jon Callas said:

> So -- my question for the WG: Is this alright with you? I want to get
> 2440bis done. I think that answers the perception that SHA-1 isn't
> good enough, without causing us to do a lot of work. If y'all think

I concur with your reasoning to stay with SHA-1 and to allow (MAY) for
a v2 MDC packet using SHA-256.  If you have some text to explain for
what we use the MDC it would be good to see it in the security notes.


Shalom-Salam,

   Werner



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8kbu3034956; Tue, 19 Sep 2006 01:46:37 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J8kbkV034955; Tue, 19 Sep 2006 01:46:37 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mailgate.enhyper.net ([80.168.109.121]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8kaPp034947 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 01:46:37 -0700 (MST) (envelope-from iang@systemics.com)
Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 877255D1DA; Tue, 19 Sep 2006 09:46:30 +0100 (BST)
Message-ID: <450FAE6D.5040401@systemics.com>
Date: Tue, 19 Sep 2006 10:46:37 +0200
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Thunderbird 1.5 (X11/20060317)
MIME-Version: 1.0
To: Jon Callas <jon@callas.org>
Cc: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org>
In-Reply-To: <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Jon Callas wrote:
> I *have* gone and read RFC 4120, the Kerb 5 RFC, to see what they have 
> in their IANA considerations. I can come up with something analogous for 
> us.


(In the absence of any contention, I'd vote YES
without trying to figure this one out.)

(Fine analysis snipped.)


> Thus, there really is no need to use anything other than SHA-1 in the 
> MDC system. The weaknesses in SHA-1 are in qualities that the MDC does 
> not use. I believe that taking these comments and putting them in a 
> paragraph in the Security Considerations section is warranted because 
> people keep misunderstanding the MDC.


(Concur with putting in the note;  indeed it might
be useful for historical purposes -- "why did they
bother with that??" -- to put in a note to effect
that the v2/v3 was added at request.)


> Having said that, I don't want to argue. I have a proposal for an 
> upgrade of the MDC, and frankly, it is going to be less work for me to 
> put this into 2440bis that it would be to defend not putting it in. In 
> the interests of just getting this done, here's my proposal for the WG.


( Minor quibble.  What is left is the implementation
and testing time.  That's non-trivial, every new
feature is only a few hours to code and days and days
of kerfuffle getting everyone else on the same page
and dealing with the diverging versions.

If we were minded to do security rather than finish
the damned document, then a stiffly worded complaint
to the IESG about complexity and featurism would be
in order. )


> I propose that we create an MDC V2 packet. Formally, this is the "Sym. 
> Encrypted Integrity Protected Data Packet (Tag 18)" which is in section 
> 5.13. The V2 packet differs from the V1 packet only in that it uses 
> SHA-256 instead of SHA-1. Obviously, there has to be a corresponding 
> change to the "Modification Detection Code Packet (Tag 19)" packet so 
> that it uses the natural length of the hash in the tag 18 packet.
> 
> I also propose a V3 packet that uses SHA-512. We might as well do it now.


MDC V2 would be SHOULD, and MDC V3 would be MAY?

No, backtrack that.  You decide, I'll vote yes
whichever :)

> The advantage of this solution is that it provides minimal upset to the 
> current  way of doing things. At the protocol level, it's just like the 
> current system, just with another hash. For implementers, the same 
> advantage holds. There's no new architectural changes, just an algorithm 
> change. It also does not require secondary protocol changes (like having 
> a features bit to announce that you implement it). A features bit is an 
> advantage, but not necessary. Oh, what the heck. I'll write in the 
> features bit, too, for completeness.
> 
> The only downside that I see of this approach is that it is a very 
> slight abuse of the version number of the packet. If we only added in 
> SHA-256, it would be a straightforward upgrade, but putting in V2 and V3 
> is a wee bit hokey.


You mean here, *conceptually* this is an abuse as
versions should improve in time and older ones
should be deprecated?  And here you are proposing
to put in two versions at the same time?

I see no difficulty here -- it's what the flexibility
of versions is built for, dealing with unforeseen
circumstances.  They aren't always regular.


> However, one of the items that is on our list of things to do for post 
> 2440bis is to examine a complete upgrade of symmetric encryption and use 
> some form of HMAC or authenticated encryption. Just adding in MDCs with 
> SHA-256 and 512 will give us an answer to the SHA-1 issue without 
> causing major disruption to the protocol.


Yes.

> So -- my question for the WG: Is this alright with you? I want to get 
> 2440bis done. I think that answers the perception that SHA-1 isn't good 
> enough, without causing us to do a lot of work. If y'all think this is 
> good, I'll do it in the next few days.

I agree, do it.  If there is a neat and easy solution,
then put it in.


iang



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8JPBk032662; Tue, 19 Sep 2006 01:19:25 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J8JPvp032661; Tue, 19 Sep 2006 01:19:25 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mailgate.enhyper.net ([80.168.109.121]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8JOho032626 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 01:19:24 -0700 (MST) (envelope-from iang@systemics.com)
Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 042E75D1D3 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 09:19:17 +0100 (BST)
Message-ID: <450FA80D.4020506@systemics.com>
Date: Tue, 19 Sep 2006 10:19:25 +0200
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Thunderbird 1.5 (X11/20060317)
MIME-Version: 1.0
To: ietf-openpgp@imc.org
Subject: Re: [Sam Hartman] Openpgp comments
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <20060919023332.GA30748@jabberwocky.com>
In-Reply-To: <20060919023332.GA30748@jabberwocky.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

David Shaw wrote:
> On Mon, Sep 18, 2006 at 11:02:44AM -0400, Derek Atkins wrote:
> 
>> The second issue is the encryption with integrity packet.  Today this
>> is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
>> for that and I think we need to support SHA-256 now.
> 
> Does the MDC actually need collision resistance?  I was under the
> impression that (like the secret key "S2K 254" use of SHA-1) this was
> essentially a checksum and the recent attacks against SHA-1 did not
> apply.


Yes, that was my question too.

iang



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J2Xh8F099352; Mon, 18 Sep 2006 19:33:43 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J2Xhh7099351; Mon, 18 Sep 2006 19:33:43 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J2Xg80099345 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 19:33:43 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k8J2Xex22199 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 22:33:40 -0400
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.7/8.13.7) with ESMTP id k8J2XcPp019885 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 22:33:39 -0400
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k8J2XXD5030956 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 22:33:33 -0400
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k8J2XWFk030955 for ietf-openpgp@imc.org; Mon, 18 Sep 2006 22:33:32 -0400
Date: Mon, 18 Sep 2006 22:33:32 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: ietf-openpgp@imc.org
Subject: Re: [Sam Hartman] Openpgp comments
Message-ID: <20060919023332.GA30748@jabberwocky.com>
Mail-Followup-To: ietf-openpgp@imc.org
References: <sjmd59txlnv.fsf@cliodev.pgp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <sjmd59txlnv.fsf@cliodev.pgp.com>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.12 (2006-08-05)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Mon, Sep 18, 2006 at 11:02:44AM -0400, Derek Atkins wrote:

> The second issue is the encryption with integrity packet.  Today this
> is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
> for that and I think we need to support SHA-256 now.

Does the MDC actually need collision resistance?  I was under the
impression that (like the secret key "S2K 254" use of SHA-1) this was
essentially a checksum and the recent attacks against SHA-1 did not
apply.

David



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J0dJLx089111; Mon, 18 Sep 2006 17:39:19 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J0dJ4V089110; Mon, 18 Sep 2006 17:39:19 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J0dInp089104 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 17:39:19 -0700 (MST) (envelope-from jon@callas.org)
Received: from keys.merrymeet.com (keys.merrymeet.com [63.73.97.166]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTP id 1279D2A33CE for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 17:39:18 -0700 (PDT)
Received: from [63.251.255.205] ([63.251.255.205]) by keys.merrymeet.com (PGP Universal service); Mon, 18 Sep 2006 17:39:17 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Mon, 18 Sep 2006 17:39:17 -0700
Mime-Version: 1.0 (Apple Message framework v752.2)
In-Reply-To: <sjmd59txlnv.fsf@cliodev.pgp.com>
References: <sjmd59txlnv.fsf@cliodev.pgp.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org>
Content-Transfer-Encoding: 7bit
From: Jon Callas <jon@callas.org>
Subject: Re: [Sam Hartman] Openpgp comments
Date: Mon, 18 Sep 2006 17:39:14 -0700
To: OpenPGP <ietf-openpgp@imc.org>
X-Mailer: Apple Mail (2.752.2)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On 18 Sep 2006, at 8:02 AM, Derek Atkins wrote:

> Forwarded with permission.
>
> It looks like we still have some work to do on rfc2440bis.
> Do we need a meeting in San Diego?  If so, I need to
> request it today.
>

I don't think you need to request a meeting; if you do, we'll just  
get up with a slide that goes over what we say on the list.
>
> The first is the lack of IANA registries.  I understand this is left
> over from 2440.  Back then, the IESG was much more willing to approve
> documents without IANA registries.  Even in recent times the IESG has
> done this--for example, RFC 4120 doesn't have IANA registries created.
> It's actually my negative experience with RFC 4120 as well as changes
> in IESG membership that cause me to be quite certain that PGP needs
> IANA registries for all its parameters.  This is doubly true if we're
> closing down the working group.  You can use standards action as the
> registration policy if you are concerned about interactions with the
> rest of the spec.  Take a look at RFC 2434.  The one caution I'd
> suggest is that if you use the IESG approval registration policy,
> please give the IESG clear guidelines on what we should look for.
> "Evaluate using the same criteria as standards actions" is a fine
> criteria as is something like "avoid security and interoperability
> problems."

I am happy with either using standards action, or IESG handling it  
with the same criteria as standards actions. What I perceive to be  
the consensus of this working group is that we want that, anyway.

What would the IESG prefer?

I have read RFC 2434, and there isn't boilerplate in it. I can  
replace the existing text with a sentence or three that matches this.

I *have* gone and read RFC 4120, the Kerb 5 RFC, to see what they  
have in their IANA considerations. I can come up with something  
analogous for us.

>
>
> The second issue is the encryption with integrity packet.  Today this
> is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
> for that and I think we need to support SHA-256 now.
>

Well. I don't see the problem, but let's discuss that in a moment,  
because I also have a solution.

>
> I realize both of these issues are large.
>
> I'd be happy to get together with you and the authors on a conference
> call if that would be useful.

Neither are really large. They'll take me about an hour each, and the  
IANA one is harder, only because I have to guess as to what to say.

Going on to the MDC issue, I want to make a couple comments, and then  
propose a change.

The MDC system has as its only requirement on the hash function that  
it be one-way. It is similar to an "authenticated cipher" but not  
even that, really.

If you want an authenticated message, there is a perfectly good  
mechanism in OpenPGP for authenticating a message --- you sign it.

However, there are many times when people do not want to sign  
messages, for a large number of reasons. (They don't want the  
signature to be taken as a commitment to content; they want the  
message to be "deniable;" etc.) Without some sort of integrity  
protection, CFB or CBC mode can be modified undetectably. The goal of  
the MDC is to be a fancy checksum; checksums like CRC do not have  
good characteristics when mixed with cryptography. The MDC does *not*  
rely on collision-resistance. The smart way someone attacks a  
deniable cryptosystem is to just create a forgery out of whole cloth.

Thus, there really is no need to use anything other than SHA-1 in the  
MDC system. The weaknesses in SHA-1 are in qualities that the MDC  
does not use. I believe that taking these comments and putting them  
in a paragraph in the Security Considerations section is warranted  
because people keep misunderstanding the MDC.

Having said that, I don't want to argue. I have a proposal for an  
upgrade of the MDC, and frankly, it is going to be less work for me  
to put this into 2440bis that it would be to defend not putting it  
in. In the interests of just getting this done, here's my proposal  
for the WG.

I propose that we create an MDC V2 packet. Formally, this is the  
"Sym. Encrypted Integrity Protected Data Packet (Tag 18)" which is in  
section 5.13. The V2 packet differs from the V1 packet only in that  
it uses SHA-256 instead of SHA-1. Obviously, there has to be a  
corresponding change to the "Modification Detection Code Packet (Tag  
19)" packet so that it uses the natural length of the hash in the tag  
18 packet.

I also propose a V3 packet that uses SHA-512. We might as well do it  
now.

The advantage of this solution is that it provides minimal upset to  
the current  way of doing things. At the protocol level, it's just  
like the current system, just with another hash. For implementers,  
the same advantage holds. There's no new architectural changes, just  
an algorithm change. It also does not require secondary protocol  
changes (like having a features bit to announce that you implement  
it). A features bit is an advantage, but not necessary. Oh, what the  
heck. I'll write in the features bit, too, for completeness.

The only downside that I see of this approach is that it is a very  
slight abuse of the version number of the packet. If we only added in  
SHA-256, it would be a straightforward upgrade, but putting in V2 and  
V3 is a wee bit hokey.

However, one of the items that is on our list of things to do for  
post 2440bis is to examine a complete upgrade of symmetric encryption  
and use some form of HMAC or authenticated encryption. Just adding in  
MDCs with SHA-256 and 512 will give us an answer to the SHA-1 issue  
without causing major disruption to the protocol.

So -- my question for the WG: Is this alright with you? I want to get  
2440bis done. I think that answers the perception that SHA-1 isn't  
good enough, without causing us to do a lot of work. If y'all think  
this is good, I'll do it in the next few days.

	Jon




Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IJh1l8069270; Mon, 18 Sep 2006 12:43:01 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8IJh1nt069269; Mon, 18 Sep 2006 12:43:01 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IJgwl2069260 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 12:43:00 -0700 (MST) (envelope-from hal@finney.org)
Received: by finney.org (Postfix, from userid 500) id 1C12B14F6BC; Mon, 18 Sep 2006 12:43:08 -0700 (PDT)
To: derek@ihtfp.com, ietf-openpgp@imc.org
Subject: Re: [Sam Hartman] Openpgp comments
Message-Id: <20060918194308.1C12B14F6BC@finney.org>
Date: Mon, 18 Sep 2006 12:43:08 -0700 (PDT)
From: hal@finney.org ("Hal Finney")
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Derek forwards from Sam Hartman of IETF:
> However Russ and I have two large issues that we need fixed before I can bring the document to the IESG.
>
> The first is the lack of IANA registries....

It sounds like we can use some boilerplate language here without much
difficulty.

> The second issue is the encryption with integrity packet.  Today this
> is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
> for that and I think we need to support SHA-256 now.

This is a major setback.  It took years to get this change in place, the
whole issue of compatibility and installed base of software that doesn't
recognize the new packet formats.  I wonder if we could add a new set of
MDC packets as the "upgrade path" while retaining the old ones.  Then we
can gradually switch over to using the new ones over the next few years.
In that case we could change the draft expeditiously without commiting to
an immediate changeover in fielded implementations.

If we do pursue this, given the subsequent cryptographic progress since we
designed the MDC mechanism, we should probably look at the now-standard
mechanism of doing a keyed MAC over the ciphertext, rather than using
an encrypted hash of the plaintext.  The MAC could be HMAC with a hash
algorithm specifier for future upgrade.  The paper that first analyzed
this construction is: http://www-cse.ucsd.edu/~mihir/papers/oem.html .
It uses CBC mode, however the proof probably goes through for CFB mode
as well - the modes have similar security properties.

Hal Finney



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IF2mMa043007; Mon, 18 Sep 2006 08:02:48 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8IF2mXm043006; Mon, 18 Sep 2006 08:02:48 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.ihtfp.org (MAIL.IHTFP.ORG [204.107.200.6]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IF2k62043000 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 08:02:47 -0700 (MST) (envelope-from warlord@MIT.EDU)
Received: from cliodev.pgp.com (CLIODEV.IHTFP.ORG [204.107.200.20]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail.ihtfp.org (Postfix) with ESMTP id D3F11BD8548 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 11:02:46 -0400 (EDT)
Received: (from warlord@localhost) by cliodev.pgp.com (8.13.7/8.13.1/Submit) id k8IF2ifi003340; Mon, 18 Sep 2006 11:02:44 -0400
From: Derek Atkins <derek@ihtfp.com>
To: ietf-openpgp@imc.org
Subject: [Sam Hartman] Openpgp comments
Date: Mon, 18 Sep 2006 11:02:44 -0400
Message-ID: <sjmd59txlnv.fsf@cliodev.pgp.com>
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

--=-=-=

Forwarded with permission.

It looks like we still have some work to do on rfc2440bis.
Do we need a meeting in San Diego?  If so, I need to
request it today.

-derek


--=-=-=
Content-Type: message/rfc822
Content-Disposition: inline

From: Sam Hartman <hartmans-ietf@MIT.EDU>
To: Derek Atkins <derek@ihtfp.com>
Cc: housley@vigilsec.com
Subject: Openpgp comments
Date: Mon, 18 Sep 2006 10:33:27 -0400
Lines: 39
MIME-Version: 1.0


 Hi.  I'm sorry it has taken so long but I needed to spin up to speed
 on openpgp standards, read the old 2440, read the new doc, understand
 some of the political history and then talk to Russ.

I'm Basically done with the new doc.  I want to work through the
description of PGP CFB mode, but that's all I have left.

However Russ and I have two large issues that we need fixed before I can bring the document to the IESG.

The first is the lack of IANA registries.  I understand this is left
over from 2440.  Back then, the IESG was much more willing to approve
documents without IANA registries.  Even in recent times the IESG has
done this--for example, RFC 4120 doesn't have IANA registries created.
It's actually my negative experience with RFC 4120 as well as changes
in IESG membership that cause me to be quite certain that PGP needs
IANA registries for all its parameters.  This is doubly true if we're
closing down the working group.  You can use standards action as the
registration policy if you are concerned about interactions with the
rest of the spec.  Take a look at RFC 2434.  The one caution I'd
suggest is that if you use the IESG approval registration policy,
please give the IESG clear guidelines on what we should look for.
"Evaluate using the same criteria as standards actions" is a fine
criteria as is something like "avoid security and interoperability
problems."


The second issue is the encryption with integrity packet.  Today this
is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
for that and I think we need to support SHA-256 now.


I realize both of these issues are large.

I'd be happy to get together with you and the authors on a conference
call if that would be useful.




--=-=-=



-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

--=-=-=--