Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
Justus Winter <justus@sequoia-pgp.org> Thu, 28 July 2022 17:35 UTC
Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D81FC1C50D7 for <openpgp@ietfa.amsl.com>; Thu, 28 Jul 2022 10:35:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jqfCEObTLSr9 for <openpgp@ietfa.amsl.com>; Thu, 28 Jul 2022 10:35:48 -0700 (PDT)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BDDEC1A649F for <openpgp@ietf.org>; Thu, 28 Jul 2022 10:35:47 -0700 (PDT)
Received: (qmail 2991 invoked by uid 500); 28 Jul 2022 17:35:44 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Bruce Walzer <bwalzer@59.ca>
Cc: openpgp@ietf.org
In-Reply-To: <YuKpxp0/Dy1DfC19@watt.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox> <YuFc+w02FiRQmHcg@watt.59.ca> <87bktajjvq.fsf@thinkbox> <YuKpxp0/Dy1DfC19@watt.59.ca>
Date: Thu, 28 Jul 2022 19:35:39 +0200
Message-ID: <875yjhjg2c.fsf@thinkbox>
MIME-Version: 1.0
Content-Type: text/plain
X-Rspamd-Bar: /
X-Rspamd-Report: MIME_GOOD(-0.1) MID_RHS_NOT_FQDN(0.5) BAYES_HAM(-0.184266)
X-Rspamd-Score: 0.215733
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/2.8.28) with ESMTPSA; Thu, 28 Jul 2022 19:35:44 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/uqO8czxZz8jZh5Jbg0dA8Kr6XSY>
Subject: Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 17:35:49 -0000
Bruce Walzer <bwalzer@59.ca> writes: > On Thu, Jul 28, 2022 at 12:00:57AM +0200, Justus Winter wrote: >> Bruce Walzer <bwalzer@59.ca> writes: >> >> > On Tue, Jul 26, 2022 at 06:51:25PM +0200, Justus Winter wrote: >> > >> >> > OpenPGP is a messaging standard and has to be such that >> >> > interoperability is possible between different systems. That is at >> >> > odds with normal Argon2 usage. >> >> >> >> If you are doing pre-shared key encryption, you have to communicate the >> >> key to the recipient, hence you do know in what context the data will be >> >> decrypted. >> > >> > How would this work in practice? Would we ask the user for the Argon2 parameters at encryption time? >> > >> > Enter passphrase: *********************** >> > Enter memory available for decryption (KiB): 2000 >> > Enter execution threads available for decryption: 8 >> > Enter passes for decryption: 3 >> >> How would S2K work in practice? >> >> Enter passphrase: *********************** >> Enter S2K type: Iterated and Salted >> Enter hash algorithm: RipeMD160 >> Enter octet count: 65000000 >> Error: Invalid octet count, must be a integer solution to (16 + m) * 2^(6 + e) >> Enter octet count: 65011712 > > We were discussing the Argon2 proposal and suddenly we are discussing > the existing standardized thing. We are not suddenly discussing S2K, in fact, it was you who brought it up in your very first mail: > Another thing I don't know, how much memory is required before the > memory advantage provided by Argon2 is actually effective and helpful? > Would there come a point where Argon2 provides no value over, say, > "Iterated and Salted S2K"? And again in your second mail: > As a practical example, GnuPG adjusts the amount of computational > effort so that it takes 0.1 seconds to decrypt on the system the S2K > operation was done on. Now, when you say that: > I an arguing that the Argon2 proposal as it exists should not be > included in an OpenPGP draft. I an hoping that argument can stand on > its own. And at the same time do not propose an alternative, I think you are arguing that the current system is sufficient. I have pointed out that it is not for two reasons: first, single core performance outscales the S2K parameter space, second highly concurrent computation environments that are nowadays available require memory-hardness, which S2K lacks. >> This is not unlike the situation that you won't be able to >> decrypt it if you don't support the cipher, AEAD mode, or OpenPGP >> version (anymore). > > Which is why we should avoid such situations if possible by only > changing these things when absolutely necessary. Note that I strongly > oppose the addition of AEAD modes for this very reason (among > others). The current SEIPv1+MDC is impossible to implement securely. Efail, one of the best attacks on OpenPGP ever, is a direct consequence of that. If you don't understand that, maybe you lack the experience to gauge whether a replacement for the SEIPv1+MDC system is needed. > I don't know what you mean by "OpenPGP version". While this is a bit of a loose term, if you don't understand what I mean by that, we lack the common terminology to discuss the revision of this protocol. Therefore, I will stop engaging. Justus
- [openpgp] The Argon2 proposal seems incomplete (D… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Werner Koch
- Re: [openpgp] The Argon2 proposal seems incomplet… Paul Wouters
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… brian m. carlson
- Re: [openpgp] The Argon2 proposal seems incomplet… Stephen Farrell
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- [openpgp] OpenPGP encryption block modes (Was: Th… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes (Was… Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes (Was… Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes (Was… Benjamin Kaduk
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Daniel Huigens
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes Aron Wussler
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Aron Wussler
- Re: [openpgp] OpenPGP encryption block modes (Was… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP encryption block modes (Was… Marcus Brinkmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes brian m. carlson
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes brian m. carlson
- Re: [openpgp] OpenPGP encryption block modes Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes (Was… Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Marcus Brinkmann
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Ángel
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Kahn Gillmor