IETF Logo Mail Archive

Re: [openpgp] First remarks on the last I-D

Jon Callas <joncallas@icloud.com> Fri, 10 June 2022 21:28 UTC

Return-Path: <joncallas@icloud.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8D9C157903 for <openpgp@ietfa.amsl.com>; Fri, 10 Jun 2022 14:28:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XkLNloU8SkIz for <openpgp@ietfa.amsl.com>; Fri, 10 Jun 2022 14:28:54 -0700 (PDT)
Received: from mr85p00im-zteg06022001.me.com (mr85p00im-zteg06022001.me.com [17.58.23.193]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EE50C157B37 for <openpgp@ietf.org>; Fri, 10 Jun 2022 14:28:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1654896534; bh=auecCJ0ava810TXe1HlE6YoX53vvBRCZGqEOifDlujw=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=tMk3b7J83lupTtKqxnVMt2/GVMLV1vswCLAqtXbh03H8wAJVBoSvd7ojdodx6Lz/3 NLOhHPs9U6ZhkiqOxhaGAvIcWPfL8OIox6htS2S3zVMS/8B8XHVbMQIwYRFKBkjTKk /mTsVlZzTjGEFN0diWtboDjJGn3ebnfmjusgWXrieygKTcJnopf76CtBgF07W1tEKw UgKyiYkEP3kgwM0eSH1MGRa+7onq1cxemV3cMXQBWmJo9mtmf/Q9uK0fMMQgXMW2M3 WhHysul49OSS2KDmbrH0SXIuYUXdjgU+4DPGG/oCMd7ujTCJEFceQU+0f7L5u7Xdh9 kaIN6/Bb2OotA==
Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-zteg06022001.me.com (Postfix) with ESMTPSA id 7E83C80063E; Fri, 10 Jun 2022 21:28:53 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Jon Callas <joncallas@icloud.com>
In-Reply-To: <7547a547-bb71-2bdd-f85e-91d46476bc6@nohats.ca>
Date: Fri, 10 Jun 2022 14:28:52 -0700
Cc: Jon Callas <joncallas@icloud.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Ronald Tse <tse=40ribose.com@dmarc.ietf.org>, openpgp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <54B2F360-C996-4A5D-BE3D-6EA405406C68@icloud.com>
References: <BB9D0AB9-CC8C-420E-8082-E9F64B09BF46@ribose.com> <790E2D75-3B92-4322-A72A-DC8ABED899BF@nohats.ca> <87czfji7w1.fsf@wheatstone.g10code.de> <18396bf2-5319-87c3-095e-f804632618f2@cs.tcd.ie> <5100C338-C6DC-4BB1-86A4-DAC353AA82CC@icloud.com> <7547a547-bb71-2bdd-f85e-91d46476bc6@nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3696.100.31)
X-Proofpoint-GUID: tzPMPE_GYYYY-CiG5DvJPlw33Jflo5fm
X-Proofpoint-ORIG-GUID: tzPMPE_GYYYY-CiG5DvJPlw33Jflo5fm
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.425,18.0.572,17.0.605.474.0000000 definitions=2022-01-14_01:2022-01-14_01,2020-02-14_11,2020-01-23_02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1015 adultscore=0 bulkscore=0 mlxscore=0 spamscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2206100082
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/tou-rPiW3-uNPBjOWakVvD2SZDc>
Subject: Re: [openpgp] First remarks on the last I-D
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2022 21:28:58 -0000


> On Jun 10, 2022, at 06:54, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Wed, 8 Jun 2022, Jon Callas wrote:
> 
>> However, GCM mode is not required for FIPS. It is neither necessary nor sufficient. PGP was the very first software-only FIPS 140 module, over twenty years ago. If someone is claiming that they need GCM mode for FIPS, they're mistaken.
> 
> Well, if that FIPS compliance was achieved with 3DES, at this point that would be
> a problem as 3DES has been sunset. What non-GCM encryption algorithm is
> FIPS approved and supported by OpenPGP ?

AES is a FIPS algorithm and has been for some time. NIST is in favor of it. Forgive me for being pedantic, but GCM is a mode -- and there are documents which I just found by typing "fips 140 modes of encryption" into a search engine, where it tells me that for AES:

AES-CCM is approved (SP800-38C), as is CMAC  (SP800-38B), and HMAC via FIPS 198-1 via SP800-107.

Note that also, they explicitly approve all of the SP800-38 sub documents, and that includes CBC with and without CTS, CCM, XTS, key wrap algorithms, and even format preserving encryption. There are a lot of other modes one could synthesize (like OCB and EAX) and they'd be fine. 

> 
>> And for what it's worth, I'm also against using GCM mode for storage encryption in particular, and thus in OpenPGP.
> 
> Noted. This is good to know.

In general, I think one should not be doing stream modes for storage, and the reason is nonce reuse. In the case of GHASH and thus GCM, the issue is that reusing a nonce breaks all MACs in the future and in the past. When one is doing streaming, breaking a past nonce isn't a big deal. However in storage, this is different. If someone accidentally reuses a nonce, the past break means that things already written can be undetectably modified. This is why the lot of us really, really get cranky about GCM. It would be much better to use CCM (because it was explicitly created to be a non-IP mode) or OCB (which is what we all want to use anyway, and it's faster than GCM). And yes, yes, there are also things like SIV.

I think that for storage of things like keys, it's better to do an HMAC or CMAC on top of CFB (since OpenPGP is full of that) or use CBC+CTS (which resolves padding issues).

v2.23.0 | Report a Bug | By Email