[openpgp] Re: session key length with SEIPDv2

Falko Strenzke <falko.strenzke@mtg.de> Wed, 09 October 2024 15:25 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 247ECC157937 for <openpgp@ietfa.amsl.com>; Wed, 9 Oct 2024 08:25:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8H7eftg8a2lw for <openpgp@ietfa.amsl.com>; Wed, 9 Oct 2024 08:25:25 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38D25C14F726 for <openpgp@ietf.org>; Wed, 9 Oct 2024 08:25:22 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 499FOwP8007556 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Wed, 9 Oct 2024 17:24:58 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1728487498; bh=w3E53ERyZsOS7QnRagXwspkiFTa4eq9EwNa2CkK5ivk=; h=Date:Subject:To:References:From:In-Reply-To; b=VdGAmorKKpjqkHbr2x2hSg7uXytXcud2IhWSz5PibKfr8uesBEDjJT+HpER0Q/zUY jw2oOOqDf86r1WtmUXfoI91GO7o56ggP0VhFQCBVuMzZ+rD0Yf9sGC0hVgOO/pkQxh sPuCNkRjgtkkQg+7Q+KRVP8oxF3L2RsjKpulixNAj2RaE46QrhKGWbji+yBpcz8apP 5T7FCiKyHgtzKVcnw7iLchP7mhiUEQGq5MOPVCUgBa8AH3Eo0acpWFM84ndK+HbBD0 /gAgjM1sYNvxvU20FnhaaItiUbaojmHcLE/JopHiWaiUjZ8eLBm9X1u1QpqXmUyqul vPK3+6XtXpuNA==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 499FOvOF002491 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Wed, 9 Oct 2024 17:24:57 +0200
Message-ID: <c575947e-f66c-47f4-9e4b-68ca326e5898@mtg.de>
Date: Wed, 09 Oct 2024 17:24:57 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
References: <93b25cce-e9f7-40a7-881f-b81e3033e7b7@posteo.de> <HvPoeoRKHGaIbIcV2cwKvnY8uVH6UqJ2PUAlBu1AFmyr6plq6RNUGqQNKZE9RllDHSdDsmuPmTJeP-BX93cALBiNITsIg40HMFPPcy3Z_dQ=@protonmail.com> <87o73z7pwy.fsf@fifthhorseman.net> <WbuzsNz4I_wBvXGTTrh2mD0r5aAKVye2mZynPySokMkx3djh8a8Ad9GPbbFrAcc74REmwNmrH4trBmjJREDtfpVCdKOsI_PPz34hf2idEuM=@protonmail.com> <87ldyy7lwy.fsf@fifthhorseman.net> <cd727941-b547-4ef2-9e3c-609e93e1f3ab@mtg.de> <87ed4p76fe.fsf@fifthhorseman.net>
Content-Language: en-GB
From: Falko Strenzke <falko.strenzke@mtg.de>
Organization: MTG AG
In-Reply-To: <87ed4p76fe.fsf@fifthhorseman.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms090300010700040401090105"
Message-ID-Hash: U3RLGK4TU2VX7HH4XWXIEY4MKYUDD2NU
X-Message-ID-Hash: U3RLGK4TU2VX7HH4XWXIEY4MKYUDD2NU
X-MailFrom: falko.strenzke@mtg.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [openpgp] Re: session key length with SEIPDv2
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/oc-uEGo66cCKYk48L5Rh66XApac>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Am 09.10.24 um 15:27 schrieb Daniel Kahn Gillmor:
> On Tue 2024-10-08 16:45:02 +0200, Falko Strenzke wrote:
>> Suggesting that the consumer rejects shorter data encryption keys in
>> the errata seems prone to cause interoperability errors with producers
>> that interpret the spec differently.
> Do we know of any producers that interpret the spec differently today by
> using shorter session keys?

No, I don't know anyone. However, I think when I wrote the code for RNP 
some time ago, I made the mistake of not checking the size of the 
session key. So I conclude others might make the same mistake.

>
>> They might for instance always produce 256 bit session keys even when
>> using AES 128 for the payload encryption.
> Sure, they *might*, but does anyone?  now is the time to produce clear
> guidance to make sure the expectations are widely understood.  Do you
> object to the MUST requirement on producers that Daniel Huigens
> proposed?
No, I don't object. This cannot create any interop problems.
>
>> In my view the consumer guidance should state that a warning or error
>> SHOULD be issued if an existing requirement for the security level is
>> violated by either the size of the session key or that of the data
>> encryption key – rather than checking only the size of one of them.
> It sounds like you're saying that there is an additional thing --
> besides the session key -- that can be mis-sized (and is underspecified
> in RFC 9580).  What do you mean by "the data encryption key" in this
> context?  If you mean the output of the KDF during PKESKv6/SKESKv6
> consumption, isn't that size explicitly determined by the symmetric
> algorithm in the SEIPDv2 packet?  Under what circumstance might it be
> sized differently?
Clearly it can't be sized differently. And that's not what I said. I 
said "... an existing requirement for the security level is
violated ... ". That was referring to an application specific (or 
similar) requirement for the key size, that is external to the OpenPGP spec.
>> The real risk seems to be that when trying to enforce a certain
>> security level, an implementation might make the error of just
>> checking the size of the session key, because of the two keys that is
>> the one that has existed so far.
> Can you translate this into explicit guidance that you think should have
> been included in RFC 9580?

Not sure if that's worth the effort right now, as we are still 
discussing. I think we agree already on the MUST for the producer. The 
question that remains is whether there should be an equivalent MUST for 
the consumer. I think the main question is how well readers of RFC 9580 
will be aware of the errata. I have no experience with that, but my 
guess would be that it might not have the same reach as RFC 9580. That 
is what my concerns about a strict rule for the consumer are based on. 
How do you see this?

Falko

>
>       --dkg
>
> _______________________________________________
> openpgp mailing list --openpgp@ietf.org
> To unsubscribe send an email toopenpgp-leave@ietf.org
-- 

*MTG AG*
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>

------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>