[openpgp] Remove session key checksum and padding for v6 ECDH
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 24 February 2023 22:14 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC2EAC14CE53 for <openpgp@ietfa.amsl.com>; Fri, 24 Feb 2023 14:14:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="KQr+WOgl"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="nlJ9G97t"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yrkaa0FtmXdV for <openpgp@ietfa.amsl.com>; Fri, 24 Feb 2023 14:14:11 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55094C14F748 for <openpgp@ietf.org>; Fri, 24 Feb 2023 14:14:11 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1677276850; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=1DkB4nZrncevmzlzb8dB2fupCOSzYbAnBa6hBlSeyvw=; b=KQr+WOglulryMAAhUKcfES3z95aVcL3z7ZLGMhKW3Q3wYRkLeIdfWgrpyC4zlEDCixLyf N9mzcjieBh+mB4FCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1677276850; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=1DkB4nZrncevmzlzb8dB2fupCOSzYbAnBa6hBlSeyvw=; b=nlJ9G97tLvj3u/sO9NeLlEa8+cWbw9pIskpfYOCBpgtdv0LjoP9UdoJK6ffdZeL3hgQGA KMFIIlPO2nPB8rguKWr1FznrN+lcpLTgJTS2gFnGCzGSlUPVvxCG0ia+yxRR8ncdeB6R7mW Dq4Co/ppBAPE7VDwX82de7GyJL3yRAavtaqqTqKQONSMaua+cVre7HZJXHJAK/0tKqsaGD0 woeskn/Lae85pwG8KkSVaoVzi7jHjlGVmo06k0lf03OoAb93AzXiAtochaZUOHYwio/g402 Rl8FD48lWFc1djncjP6pPqQmzuZKL677gdbq8jZyyWdJcAtaukrQ1F2yC7Gw==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 1DBF1F9AD for <openpgp@ietf.org>; Fri, 24 Feb 2023 17:14:09 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id B45662036E; Fri, 24 Feb 2023 17:14:07 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 24 Feb 2023 17:14:06 -0500
Message-ID: <87sfeuu2xd.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/qLFlBbMICipuRglKOQgsMrFYoIs>
Subject: [openpgp] Remove session key checksum and padding for v6 ECDH
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2023 22:14:16 -0000
Hi OpenPGP folks-- in https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/223 we have a proposal to remove the checksum and padding steps for ECDH when used with v6 PKESK: https://mailarchive.ietf.org/arch/msg/openpgp/em4s5PL9GO7EUrigDbQdc8TOP9c (the MR currently reads "v5", but Aron Wussler has already volunteered to update it to v6 assuming that we land !238) Given that we've added the new algorithm IDs for X25519 and X448, implementations adopting those algorithm IDs will *not* be using the ECDH mechanism in v6 at all, so this change would apply only to keys using the other ECDH mechanisms (e.g., NIST or Brainpool curves). As i understand it, the rationale for dropping these pieces in v6 ECDH is that they are unnecessary: - ECDH already uses a standard keywrapping function - the padding doesn't hide anything (as the SEIPDv2 packet exposes the choice of symmetric algorithm directly) - the padding also doesn't fill any needed space, since the algorithms used are all multiples of 8 octets anyway. The downside, expressed by Daniel Huigens on gitlab, is that this creates a bit of additional complexity for implementers who want to support both v4 and v6 ECDH, and it isn't necessary for the CFRG curves anyway now that they have their own dedicated algorithm IDs and PKESK wrapping formats. Please use this thread to endorse or object to this proposal to change the value keywrapped in v6 ECDH PKESK packets!. --dkg
- [openpgp] Remove session key checksum and padding… Daniel Kahn Gillmor
- Re: [openpgp] Remove session key checksum and pad… Daniel Kahn Gillmor