IETF Logo Mail Archive

Re: [openpgp] Choices for AEAD modes [was: AEAD and Rome]

Werner Koch <wk@gnupg.org> Wed, 15 June 2022 08:24 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B732C14CF0A for <openpgp@ietfa.amsl.com>; Wed, 15 Jun 2022 01:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XRGMifrjukE8 for <openpgp@ietfa.amsl.com>; Wed, 15 Jun 2022 01:24:11 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6C92C14F74E for <openpgp@ietf.org>; Wed, 15 Jun 2022 01:24:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xyM5tdskdLcFIMF9fmFLhZAXGnyIR1485zN9/mS+AAw=; b=kmKouE+R2HXEFK7X3BRNZxj7Hg 7F+MycTOTdT3oxcQVg7Cd7Q0Nm3s/X7yJACQjeDpqSD74hczmmelDgsN4ECcPzM3nzlW+1NKshhhB chHBRS0xcxMnt9nnxyx7v2tmyba5Zc+MGBKWXYXp9U/qpU0Gv5SMf8Yis5MmUy9Wa9Qg=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1o1OJr-0006Sa-8W for <openpgp@ietf.org>; Wed, 15 Jun 2022 10:24:07 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.92 #5 (Debian)) id 1o1OIY-0000LZ-Ul; Wed, 15 Jun 2022 10:22:46 +0200
From: Werner Koch <wk@gnupg.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: openpgp@ietf.org
References: <BB9D0AB9-CC8C-420E-8082-E9F64B09BF46@ribose.com> <7547a547-bb71-2bdd-f85e-91d46476bc6@nohats.ca> <54B2F360-C996-4A5D-BE3D-6EA405406C68@icloud.com> <YqPEw8OIlf0PG40T@camp.crustytoothpaste.net> <25c3a7b5-07ef-1521-1a14-43ef0c7b4043@cs.tcd.ie> <SY4PR01MB6251D365368552630ECCD720EEA99@SY4PR01MB6251.ausprd01.prod.outlook.com> <4dd0ad8b-9de7-15e6-a9ef-e0401acd69f8@sixdemonbag.org> <p_7pskU0MxbpIjGwmAUTMmFsJxjA8QRQCGDbCfrYQTSXocrlDUFDdNuHXChjBwy3RAc2eA_mRIyGFDWD6u5peNNL_F9I3yUYXAa5Khy5XqE=@protonmail.com> <87y1y0bj9r.fsf_-_@wheatstone.g10code.de> <mAnMlR7HNIXC0Mzquewg8bVEHE9cqSkScWwn7zNyD0GBWXzr6CFS858ENPS6fPzVV7TyIbkOhgiG75aVKSuw2EBeCc_SDYpaG5IIzmDGemQ=@protonmail.com> <87o7yuoluk.fsf@fifthhorseman.net>
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Jabber-ID: wk@jabber.gnupg.org
Mail-Followup-To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
Date: Wed, 15 Jun 2022 10:22:46 +0200
In-Reply-To: <87o7yuoluk.fsf@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 14 Jun 2022 19:40:19 -0400")
Message-ID: <875yl2bajt.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=BND_National_Biosurveillance_Integration_Center_EO_Toxic_Water_borne"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/urEAirKEhuot3ETKDbi2GcQ3q64>
Subject: Re: [openpgp] Choices for AEAD modes [was: AEAD and Rome]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2022 08:24:16 -0000

On Tue, 14 Jun 2022 19:40, Daniel Kahn Gillmor said:

>  d) we can revert to rfc4880bis-10's AEAD packet framing and key
>     schedule, with its table of AEAD modes, without guarantees of key
>     separation, and without GCM, but switched to OCB as the MTI mode.

Yes, this is what has been deployed worldwide for years in millions of
installations (decryption wise) and is meanwhile in active use .  After
consensus in the WG!

From an implementors POV it okay to flag the EAX code point as reserved,
make OCB manatory, and forbid any other code points.

> option (d) is problematic because a "specification required" registry
> would presumably soon have GCM added by folks who want it, but the lack

So let them add their GCM using another packet and I bet that - for
OpenPGP - it will not fly.

> of key separation between modes means that addition of a new mode like
> GCM risks introducing problems with cross-mode key abuse.  This key
> separation is one of the reasons that the design team moved to the

That is more of an academic reason than of any practical real world
need.  We don't want to have allow for too much new options.

>    greenfield application.  I don't know whether the WG could get
>    consensus around what those algorithm choices would be, but I could

The algorithms we need are AES128, AES256, OCB, SHA256, SHA512, X25519,
and maybe X448.  But that would not be a real world usable applications
but can only be used in new closed projects.


Shalom-Salam,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein

v2.23.0 | Report a Bug | By Email