[openpgp] Re: session key length with SEIPDv2
Daniel Huigens <d.huigens@protonmail.com> Sat, 05 October 2024 15:42 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA73DC14F726 for <openpgp@ietfa.amsl.com>; Sat, 5 Oct 2024 08:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpBAwNfGOWOA for <openpgp@ietfa.amsl.com>; Sat, 5 Oct 2024 08:42:25 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C67EAC14F70A for <openpgp@ietf.org>; Sat, 5 Oct 2024 08:42:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1728142943; x=1728402143; bh=I7x2MlctgIhkPjX36R5DYU0UpwbF54SNGro2OgK0S04=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=UNDCqHqUDJfstXEAZSqTqPJhmntc9niQOWzy8HK3pFSwhv9gLIG3FNT+q3UyI1TfY en9WS/qD3M4eAsoWgF51WXQ6F8gFQ8Pkjd6p/zHrkm+ZDFXwa4JaAJJ5SNn+eNkYnV pa2Bk1sIZDxgMxCgU64E+CG65KQPePobmbNRH0ogQy38yA55l7BMRknPjk5G7Z1mTA bG4st8Qmzq3rxFWLfDuaOxYHHRjD9FO/Ct6g17WptjbFFq/dnA0JSNpQ83lu3EyM2J iWf/AfvFm24yWqqnJTmaEVmO1Ufym/91hJUWbkiusdPsfduAWJX/nZ2ptV/JOHzjIn wXsoJBFatZUQw==
Date: Sat, 05 Oct 2024 15:42:19 +0000
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <WbuzsNz4I_wBvXGTTrh2mD0r5aAKVye2mZynPySokMkx3djh8a8Ad9GPbbFrAcc74REmwNmrH4trBmjJREDtfpVCdKOsI_PPz34hf2idEuM=@protonmail.com>
In-Reply-To: <87o73z7pwy.fsf@fifthhorseman.net>
References: <93b25cce-e9f7-40a7-881f-b81e3033e7b7@posteo.de> <HvPoeoRKHGaIbIcV2cwKvnY8uVH6UqJ2PUAlBu1AFmyr6plq6RNUGqQNKZE9RllDHSdDsmuPmTJeP-BX93cALBiNITsIg40HMFPPcy3Z_dQ=@protonmail.com> <87o73z7pwy.fsf@fifthhorseman.net>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: e67987bc9ce5034486cb85a9b0e7510aa4d5d9e8
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: STGPBWD7JEF6LSQHX6H5MNY3ZGLBZYJ3
X-Message-ID-Hash: STGPBWD7JEF6LSQHX6H5MNY3ZGLBZYJ3
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [openpgp] Re: session key length with SEIPDv2
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/md6cceX881QZtCCH_73Y75fXqw8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi dkg, On Friday, October 4th, 2024 at 11:12, Daniel Kahn Gillmor wrote: > leaving consumer guidance implicit seems like it is the > core of the original omission I disagree with this part; I think producer guidance is the important part, because (quoting from my previous email): > Though, I do think all of the security risk is on the encryption / > producer's side - i.e. as long as producers choose an appropriate > length, the ecosystem is safe, and the consumer can't protect against > the producer choosing an insecure session key in general, anyway > (e.g. the producer could also choose a session key of all zeros, > or a random session key but publish it somewhere). Note that also for SEIPDv1, there was technically no consumer guidance either - of course you might say it's obvious that decryption would fail but the consumer could technically truncate or pad the session key, as well. To be fair, there's not much producer guidance either - the only things I could find are (1) in the names of the algorithms: 7 AES with 128-bit key [AES] 8 AES with 192-bit key 9 AES with 256-bit key and (2) in these examples: For example, in a version 3 Public Key Encrypted Session Key packet, an AES-256 session key is encoded as follows, forming a 40-octet sequence: 09 k0 k1 ... k31 s0 s1 05 05 05 05 05 The octets k0 to k31 above denote the session key (...) In a version 6 Public Key Encrypted Session Key packet, the symmetric algorithm is not included, as described in Section 5.1. For example, an AES-256 session key would be composed as follows: k0 k1 ... k31 s0 s1 06 06 06 06 06 06 The octets k0 to k31 above again denote the session key (...) I'm not sure if examples count as normative guidance, but at least this shows that the intention was to keep the session key lengths the same in SEIPDv2 as in SEIPDv1. All of that is not to say that I'm opposed to consumer guidance, but I think (normative) producer guidance is the more important part and the part that can more unambiguously be shown to have been intended given the above quotes of RFC9580, and thus I think it could go in an erratum? Whereas if we want consumer guidance (for SEIPDv2 and v1) I'd expect it'd have to go somewhere else. But, lmk if you disagree, of course. Best, Daniel
- [openpgp] session key length with SEIPDv2 Heiko Schäfer
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Huigens
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Falko Strenzke
- [openpgp] Re: session key length with SEIPDv2 Justus Winter
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor
- [openpgp] Re: session key length with SEIPDv2 Daniel Kahn Gillmor