Re: [openpgp] Discussion regarding signalling of preferences for multiple encryption-capable keys
Daniel Huigens <d.huigens@protonmail.com> Mon, 25 April 2022 12:57 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C54C3A18F7 for <openpgp@ietfa.amsl.com>; Mon, 25 Apr 2022 05:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ioS3QrltHRR for <openpgp@ietfa.amsl.com>; Mon, 25 Apr 2022 05:57:54 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 539993A18F3 for <openpgp@ietf.org>; Mon, 25 Apr 2022 05:57:54 -0700 (PDT)
Date: Mon, 25 Apr 2022 12:57:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1650891471; bh=p/Gd5Jm9MiWwwkQEOxJPBEQYGbxoKSOsFhypS6CrvPM=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=uvKUPM9+EBYZy8164sX6aH1fD+iF6Wd21mUg/BdghAGcVzZbvS0ckx3doTOcva1FB h4En1rhjzTrWmseA08V6AHib1/M0Fx2oQwULmmIORF5p9GWTD+PEBRfeKpyfYVHaI1 4QGo+wQRmo6GShvOEldX0RKDkWIjcF4u5tyXWknY0++Secmer1l/V1MajpohmHgCbN Gss22VcZyPSWmVGUAtkWHu/EZKZRHJ7iE8KHL029rej9tpC90dsYnQ8HWgh9MJt4Br 6xa1EfoIUggb53vSpFHyW8YYThARUL9wImRDk0QPj4ivrGcLRS6/y1BmO1tGFdhTdx Z11vNe0AGMu9w==
To: Falko Strenzke <falko.strenzke@mtg.de>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <fdKStPY4BAiDh7F33MyFz-RNVEzhoa0-YqcMfAXJvM563IlqMj05NTskzQ7Im82ZbmeMMSet9DZ353-n0dcZEXeQARa5DRXIOW3TNWbilDQ=@protonmail.com>
In-Reply-To: <f6f22d4d-13ce-d58d-defd-9faba1428ca1@mtg.de>
References: <f6f22d4d-13ce-d58d-defd-9faba1428ca1@mtg.de>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/lgH27qRoWKFi0a4P9rFTdp7zeXM>
Subject: Re: [openpgp] Discussion regarding signalling of preferences for multiple encryption-capable keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 12:58:00 -0000
Hi there,
I would prefer not to mix signalling about using multiple subkeys
(if any) with hybrid algorithms. For example, what if you want to
express "please use these X25519+HRSS keys, *and* these X448+SIKE
keys (in that combination)"? It becomes very complicated.
For post-quantum crypto, I would prefer, as Greg also suggested,
to just define algorithm IDs for combinations of algorithms (e.g. one
for "X25519+HRSS" and one for "X448+SIKE"), and then have only one
(sub)key packet for the X25519 and HRSS keys, for example (with the
algorithm ID defining how to encode them). Of course there's some risk
of an "explosion of combinations", but I think we should work to
restrict that anyway, and having a set number of permissible
combinations is better than allowing arbitrary combinations.
Of course, then there's no backwards compatibility (by default)
in the sense of being able to use only the X25519 key by itself.
So, if you want that, you'd have to additionally add a separate X25519
("Curve25519 over ECDH", really) subpacket. Those keys are small so I
think that's fine. (Also, if we don't do that, it means we lock
ourselves into the weird "Curve25519 over ECDH" scheme even longer.)
Or, you might want to have a separate backwards compatible primary key
as well, for signatures; in that case you could just generate two
separate certificates. We have a similar issue currently with v4 and v5
keys; there you might also want to serve both for a while. If we
prepare our software now to support using multiple concatenated keys
(the spec already allows this), with the semantics being "use the first
one you support", for example (to be discussed), then that would help
us with the transition to post-quantum crypto as well.
Best,
Daniel
------- Original Message -------
On Thursday, April 14th, 2022 at 15:06, Falko Strenzke <falko.strenzke@mtg.de> wrote:
> I cannot post to the Design Team list, so I post it on this mailing list:
>
> Regarding the discussion around multiple encryption-capable subkeys, I
> would like to make the following remarks on behalf of the project
> PQC@Thunderbird. At IETF 113 we presented our ongoing project for the
> standardisation of PQC in OpenPGP. Well aware that this is not in the
> scope of the crypto refresh, we still want to make a comment on the
> signalling mechanism for a preferred usage of multiple encryption
> subkeys, as it is currently being discussed by the Design Team. The
> reason is that a related issue will in our view most likely also arise
> in the context of multi-algorithm encryption. What we refer to as
> multi-algorithm encryption is often also referred to as hybrid
> encryption and means the combined encryption with two public key
> encryption schemes in such a way, that the combined scheme is only
> broken when both constituent schemes are broken. "Both constituent
> schemes" will typically be a classical scheme and a PQC scheme. For such
> a combination of two public-key encryption operations, an algorithm for
> the derivation of the session key from the input-keys encrypted in each
> PKESK is also needed. Proposals for this exist and typically involve the
> use of a KDF.
>
> So far to introduce the background. Now we come to the point were the
> signalling of the intended subkey usage matters in this approach: If a
> user wants to restrict others to only sending him encrypted messages
> using multi-algorithm encryption with two specific encryption subkeys
> from his keyring in combination – i.e. not allowing them to use either
> of the two keys in the default "single-algorithm" manner, the question
> arises
> * how to signal to the sender that a certain encryption subkey must only
> be used in a multi-algorithm combination with another (specific) subkey
> from the same keyring (e.g. to indicate: "use this PQC key only in
> multi-algorithm encryption together with ECDH")?
>
> In our understanding this problem could be solved by a signalling
> mechanism analogous to the one discussed now regarding parallel
> encryption. The mechanism would have to be enhanced by a flag signalling
> the intended use of a key in the multi-algorithm context only.
>
> We just want to provide this piece of information for the case it
> matters for the ongoing discussion in Design Team.
>
> Best regards,
> Falko
>
> --
>
> MTG AG
> Dr. Falko Strenzke
> Executive System Architect
>
> Phone: +49 6151 8000-24
> E-Mail: falko.strenzke@mtg.de
> Web: www.mtg.de
>
>
> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
> Commercial register: HRB 8901
> Register Court: Amtsgericht Darmstadt
> Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
> Chairman of the Supervisory Board: Dr. Thomas Milde
>
> This email may contain confidential and/or privileged information. If
> you are not the correct recipient or have received this email in error,
> please inform the sender immediately and delete this email. Unauthorised
> copying or distribution of this email is not permitted.
>
> Data protection information: www.mtg.de/en/privacy-policy
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
- [openpgp] Discussion regarding signalling of pref… Falko Strenzke
- Re: [openpgp] Discussion regarding signalling of … Daniel Kahn Gillmor
- Re: [openpgp] Discussion regarding signalling of … Falko Strenzke
- Re: [openpgp] Discussion regarding signalling of … Andrew Gallagher
- Re: [openpgp] Discussion regarding signalling of … Daniel Kahn Gillmor
- Re: [openpgp] Discussion regarding signalling of … Andrew Gallagher
- Re: [openpgp] Discussion regarding signalling of … Greg Maxwell
- Re: [openpgp] Discussion regarding signalling of … Daniel Kahn Gillmor
- Re: [openpgp] Discussion regarding signalling of … Aron Wussler
- Re: [openpgp] Discussion regarding signalling of … Daniel Huigens