Re: [openpgp] Fingerprints and their collisions resistance
ianG <iang@iang.org> Thu, 03 January 2013 09:03 UTC
Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27AAD21F84E0 for <openpgp@ietfa.amsl.com>; Thu, 3 Jan 2013 01:03:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.359
X-Spam-Level:
X-Spam-Status: No, score=-1.359 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNZ43PxpK+zA for <openpgp@ietfa.amsl.com>; Thu, 3 Jan 2013 01:03:35 -0800 (PST)
Received: from pyyl.pair.com (pyyl.pair.com [209.68.1.203]) by ietfa.amsl.com (Postfix) with ESMTP id A370321F84D8 for <openpgp@ietf.org>; Thu, 3 Jan 2013 01:03:35 -0800 (PST)
Received: from [IPv6:::1] (www2.futureware.at [78.41.115.142]) by pyyl.pair.com (Postfix) with ESMTPSA id 62B07B24C8; Thu, 3 Jan 2013 04:03:13 -0500 (EST)
Message-ID: <50E5494E.6090905@iang.org>
Date: Thu, 03 Jan 2013 12:03:10 +0300
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <50E530D6.6020609@brainhub.org>
In-Reply-To: <50E530D6.6020609@brainhub.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [openpgp] Fingerprints and their collisions resistance
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2013 09:03:36 -0000
On 3/01/13 10:18 AM, Andrey Jivsov wrote: > As a remedy to the problem note that the collision resistance only > arises when the original "document" is not available. Fortunately, keys > are small, and therefore, the suggested enhancement to the RFC4880 to > remedy the collision dependence of fingerprints on SHA-1 is to store the > original key. Continuing the above example with non-repudiation, the > non-repudiation claims will be made against the application logs (i.e. > audit trails), thus it will be necessary to include complete keys in > addition to fingerprints in logs that record protocol exchanges that are > dependent on public key identification. > > This concern will need to be communicated somehow to developers that are > relying on RFC4880. I agree with this approach. It means no change to the tech in the short term, just a note that is distributed (perhaps added in any next revision or additional ID): to insure against future key collision possibilities in high-security application, store the full key with any fingerprint. > An alternative method is outlined next. We introduce a new hardwired > fingerprint, for example, based on SHA-3. The above-mentioned > application logs can simply state that "SHA-3 fingerprint is XXX" and > not bother with storing the whole key (which is unfortunately allowed to > change, for example, by acquiring new userIDs, making it hard to compare > the revisions). Any subpacket that currently takes the fingerprint will > be able to take the new SHA-3 fingerprint as well. Applications will be > expected to calculate two fingeprints in parallel and perform a match > with either of them. In addition, we might consider a features packet > forcing or preferring SHA-3 fingeprint (similar to the MDC feature). > KeyIDs in messages can also use 8 bytes of the new fingerprint. Now that SHA-3 is settled, it seems reasonable to clean out all of the SHA-1s. It would be nice if this were to take place within an overall refurbishment of the entire suite, e.g., OpenPGP 5 or whatever one calls it. Any change is going to be disruptive, and confusion out in userland with different feature/time/brand sets leads to loss of users, which isn't really any good compensation for the illusory security advantage of replacing SHA1. ... > I will appreciate your comments on this feature. I don't expect this to > be a task that needs an urgent resolution. In my mind this is something > that we agree on, have a simple spec, and then take a few years to > implement and deploy it in a least disruptive way. +1 It would be ideal if we could select a single small fixed suite of everything that would last for the next 2 decades. > If there is a more elegant/simpler solution? I would like to hear about it. On another related point - have the MD numbers been allocated for SHA3 in its various guises? iang
- [openpgp] Fingerprints and their collisions resis… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… Nicholas Cole
- Re: [openpgp] Fingerprints and their collisions r… Jon Callas
- Re: [openpgp] Fingerprints and their collisions r… Arturo 'Buanzo' Busleiman
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Tony Hansen
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Werner Koch
- Re: [openpgp] Fingerprints and their collisions r… Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… Christian Aistleitner
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… jbar
- Re: [openpgp] Fingerprints and their collisions r… Christian Aistleitner
- Re: [openpgp] Fingerprints and their collisions r… Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… Jon Callas
- Re: [openpgp] Fingerprints and their collisions r… Werner Koch
- Re: [openpgp] Fingerprints and their collisions r… Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints and their collisions r… Jon Callas
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Werner Koch
- Re: [openpgp] Fingerprints and their collisions r… Werner Koch
- Re: [openpgp] Fingerprints and their collisions r… Bill Frantz
- Re: [openpgp] Fingerprints and their collisions r… Jon Callas
- Re: [openpgp] Fingerprints and their collisions r… Nicholas Cole
- Re: [openpgp] Fingerprints and their collisions r… ianG