[openpgp] Re: session key length with SEIPDv2

Daniel Huigens <d.huigens@protonmail.com> Sat, 05 October 2024 15:42 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA73DC14F726 for <openpgp@ietfa.amsl.com>; Sat, 5 Oct 2024 08:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpBAwNfGOWOA for <openpgp@ietfa.amsl.com>; Sat, 5 Oct 2024 08:42:25 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C67EAC14F70A for <openpgp@ietf.org>; Sat, 5 Oct 2024 08:42:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1728142943; x=1728402143; bh=I7x2MlctgIhkPjX36R5DYU0UpwbF54SNGro2OgK0S04=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=UNDCqHqUDJfstXEAZSqTqPJhmntc9niQOWzy8HK3pFSwhv9gLIG3FNT+q3UyI1TfY en9WS/qD3M4eAsoWgF51WXQ6F8gFQ8Pkjd6p/zHrkm+ZDFXwa4JaAJJ5SNn+eNkYnV pa2Bk1sIZDxgMxCgU64E+CG65KQPePobmbNRH0ogQy38yA55l7BMRknPjk5G7Z1mTA bG4st8Qmzq3rxFWLfDuaOxYHHRjD9FO/Ct6g17WptjbFFq/dnA0JSNpQ83lu3EyM2J iWf/AfvFm24yWqqnJTmaEVmO1Ufym/91hJUWbkiusdPsfduAWJX/nZ2ptV/JOHzjIn wXsoJBFatZUQw==
Date: Sat, 05 Oct 2024 15:42:19 +0000
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <WbuzsNz4I_wBvXGTTrh2mD0r5aAKVye2mZynPySokMkx3djh8a8Ad9GPbbFrAcc74REmwNmrH4trBmjJREDtfpVCdKOsI_PPz34hf2idEuM=@protonmail.com>
In-Reply-To: <87o73z7pwy.fsf@fifthhorseman.net>
References: <93b25cce-e9f7-40a7-881f-b81e3033e7b7@posteo.de> <HvPoeoRKHGaIbIcV2cwKvnY8uVH6UqJ2PUAlBu1AFmyr6plq6RNUGqQNKZE9RllDHSdDsmuPmTJeP-BX93cALBiNITsIg40HMFPPcy3Z_dQ=@protonmail.com> <87o73z7pwy.fsf@fifthhorseman.net>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: e67987bc9ce5034486cb85a9b0e7510aa4d5d9e8
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: STGPBWD7JEF6LSQHX6H5MNY3ZGLBZYJ3
X-Message-ID-Hash: STGPBWD7JEF6LSQHX6H5MNY3ZGLBZYJ3
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [openpgp] Re: session key length with SEIPDv2
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/md6cceX881QZtCCH_73Y75fXqw8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi dkg,

On Friday, October 4th, 2024 at 11:12, Daniel Kahn Gillmor wrote:
> leaving consumer guidance implicit seems like it is the
> core of the original omission

I disagree with this part; I think producer guidance is the important
part, because (quoting from my previous email):

> Though, I do think all of the security risk is on the encryption /
> producer's side - i.e. as long as producers choose an appropriate
> length, the ecosystem is safe, and the consumer can't protect against
> the producer choosing an insecure session key in general, anyway
> (e.g. the producer could also choose a session key of all zeros,
> or a random session key but publish it somewhere).

Note that also for SEIPDv1, there was technically no consumer guidance
either - of course you might say it's obvious that decryption would fail
but the consumer could technically truncate or pad the session key, as
well.

To be fair, there's not much producer guidance either - the only things
I could find are (1) in the names of the algorithms:

   7   AES with 128-bit key [AES]
   8   AES with 192-bit key
   9   AES with 256-bit key

and (2) in these examples:

   For example, in a version 3 Public Key Encrypted Session Key packet,
   an AES-256 session key is encoded as follows, forming a 40-octet
   sequence:

   09 k0 k1 ... k31 s0 s1 05 05 05 05 05

   The octets k0 to k31 above denote the session key (...)

   In a version 6 Public Key Encrypted Session Key packet, the symmetric
   algorithm is not included, as described in Section 5.1.  For example,
   an AES-256 session key would be composed as follows:

   k0 k1 ... k31 s0 s1 06 06 06 06 06 06

   The octets k0 to k31 above again denote the session key (...)

I'm not sure if examples count as normative guidance, but at least this
shows that the intention was to keep the session key lengths the same
in SEIPDv2 as in SEIPDv1.

All of that is not to say that I'm opposed to consumer guidance, but I
think (normative) producer guidance is the more important part and the
part that can more unambiguously be shown to have been intended given
the above quotes of RFC9580, and thus I think it could go in an erratum?
Whereas if we want consumer guidance (for SEIPDv2 and v1) I'd expect
it'd have to go somewhere else. But, lmk if you disagree, of course.

Best,
Daniel