IETF Logo Mail Archive

Re: [openpgp] OpenPGP encryption block modes (Was: The Argon2 proposal seems incomplete (Draft 6))

Daniel Huigens <d.huigens@protonmail.com> Thu, 04 August 2022 22:58 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4A6C15C503 for <openpgp@ietfa.amsl.com>; Thu, 4 Aug 2022 15:58:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8lPxrxneyh4R for <openpgp@ietfa.amsl.com>; Thu, 4 Aug 2022 15:58:55 -0700 (PDT)
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EA08C15C520 for <openpgp@ietf.org>; Thu, 4 Aug 2022 15:58:51 -0700 (PDT)
Date: Thu, 04 Aug 2022 22:58:42 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1659653929; x=1659913129; bh=60Vsg4hkmFIzYCC0BO0F3PzdWbZ/Wr6JWsGjOy6tDog=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=ebi39XzKMYGzCgcooX2rBQaKgyknSqcjEbZ27AdBpev02CdcruguPlkbiqAeM0pMN i/U/3GABwqmXZqHgsm2crnOZPfk81/1qIme2gpE3rc/oaCE1hyqsik1K7nQI5No2Px sigIY/G96mHP5RDcmW70nlZPE4w2qhn80+uTzp3Jwi+7aa29Rh4N+xIHBOYT8Qu4Iu eOGY5r8irw/3EsIsWp0edr+55stdXPzn8uPMPfmcGOTmrQ+O60LaupoEogjvXC3hSZ 4SYZgVaCIIyTx8SHJ3BW19MXfN8DRFrazzWJqbrLfI6c/lxGvUrS7O2tbq6U4xPsEX CRqMxrwCEdvPg==
To: bwalzer@59.ca
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: wk@gnupg.org, justus@sequoia-pgp.org, openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <Fwgmkk-iDCOGeERNlsQjvyeGfqxh4QcUroVQSRxth3nYzYcETrRl-7_j50Lfs1x5SiXLs_VAV0bBsd6T6rp-TKhpAxKS27grQh0N4JLY9yM=@protonmail.com>
In-Reply-To: <YuvlHdLz0Sfle7Ot@ohm.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox> <YuFc+w02FiRQmHcg@watt.59.ca> <87bktajjvq.fsf@thinkbox> <YuKpxp0/Dy1DfC19@watt.59.ca> <875yjhjg2c.fsf@thinkbox> <87r124m64c.fsf@wheatstone.g10code.de> <YulX9jI1+wOCwLJq@ohm.59.ca> <Q6EUpbQm0e5f1OiU-77Old9p9FXyLCaFZ8pMm7PTt8VTLQJaXRQzWIDSwc3db6yI-56imyOaTNdt9TC8Zrm1jN_kPKxFYH4OqEu6o-Wfquo=@protonmail.com> <YuvlHdLz0Sfle7Ot@ohm.59.ca>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_lQ2sPLliTMtgucXVLIVHBLBtT1FDkYNQX32u4zTktc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/njRFT3BRxtD6QhjTD0GRhq42iJM>
Subject: Re: [openpgp] OpenPGP encryption block modes (Was: The Argon2 proposal seems incomplete (Draft 6))
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2022 22:58:59 -0000

On Thursday, August 4th, 2022 at 11:26, Bruce Walzer wrote:

> I thought you guys were mostly doing messaging. Why would performance
> be important in that environment? Speaking of messaging, wouldn't you
> strongly prefer the most compatible mode? That is going to be
> SEIPD-MDC for the foreseeable future. Why would either OCB or GCM be
> of any particular interest?

I am speaking with OpenPGP.js maintainer hat on. The library doesn't
assume any particular use case and there are definitely use cases where
performance matters.

> How would a more secure library make the overall system more secure?
> The javascript is still going to be handling the plaintext. We are
> only talking about the block cipher mode here, not the cipher
> itself. That doesn't seem like something that could create a side
> channel by itself.

Well - Web Crypto only exposes block cipher modes. In theory, we could
implement AES-OCB on top of AES-CBC, of course, by calling the latter
for every block, but the overhead of calling the (asynchronous) API for
every block would likely make that infeasible. So, in practice, for OCB
we end up using a JS implementation of the block cipher as well,
whereas for GCM we can use the native implementation.

Best,
Daniel

v2.23.0 | Report a Bug | By Email