[openpgp] v5 fingerprints in ECDH

"brian m. carlson" <sandals@crustytoothpaste.net> Sat, 27 February 2021 23:14 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B2C3A15C7 for <openpgp@ietfa.amsl.com>; Sat, 27 Feb 2021 15:14:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FkX0yIwuUy5P for <openpgp@ietfa.amsl.com>; Sat, 27 Feb 2021 15:14:35 -0800 (PST)
Received: from injection.crustytoothpaste.net (injection.crustytoothpaste.net [192.241.140.119]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B39893A15C5 for <openpgp@ietf.org>; Sat, 27 Feb 2021 15:14:35 -0800 (PST)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:7d4e:cde:7c41:71c2]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by injection.crustytoothpaste.net (Postfix) with ESMTPSA id 4796460DF4 for <openpgp@ietf.org>; Sat, 27 Feb 2021 23:14:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1614467671; bh=MbYG2A+u8auSs50psHPRuDsTj+KlebUYh1bl1RmxQvU=; h=Date:From:To:Subject:References:Content-Type:Content-Disposition: In-Reply-To:From:Reply-To:Subject:Date:To:CC:Resent-Date: Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=Sd1AimcBEi+eb3iyQutiwzZNX3VzdLI/tzZ11hZENYh5fMrnYRD7nhPOmDCIr/Uw2 IJADRBKnh3x8XNha3p99veTPqc8kstdA4IEzqVfLs76jSQmqKNXRR7noIodeel3/fD L7KlmdJhR3AyHlSvFRiACT/PHZ/g0jtkAKODR5E30m70g5aPjDvZvA85aIldALIgl0 XMyhVLBWiO76cGF/KfkFBT6WfEiFSc6cLCp/5zcGQ74f0TN55PkpMYsFhPcmKk6jOY wqam+hwBPbiR9gyK9TDrWEOwF2YFCDPd6X/MALMArhnTRy8OUK8wzDuROhOcnpH4t4 2sJ5J8UPIr8BALq79SCc2PKLjc/BK3YkJ5G9BD8pGN/if+BiRtLtwkJapBQi5I28aA xGGjBpTMDOkQ6ZPfDNlgdlH1PduvOAlkfA/2PTxnCwZ80hqEPCNCexP4RPwY48H9qQ 4VCPkP+8V++/tIJ2c8y9j9IE/AAkAl6i2lA3BjmNNB/MgEsO1f9
Date: Sat, 27 Feb 2021 23:14:25 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <YDrSURVzasNsCV/S@camp.crustytoothpaste.net>
References: <7d8bdda1-4e5c-6c10-f3cd-1d191fad595c@nohats.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="A7Tze74Dsf4tJn9S"
Content-Disposition: inline
In-Reply-To: <7d8bdda1-4e5c-6c10-f3cd-1d191fad595c@nohats.ca>
User-Agent: Mutt/2.0.5 (2021-01-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/uwba__3Yb-ChX0uzNRyWnIDJDd0>
Subject: [openpgp] v5 fingerprints in ECDH
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Feb 2021 23:14:37 -0000

On 2021-02-23 at 02:19:03, Paul Wouters wrote:
> 
> Hi,
> 
> I pushed an updated version of the crypto refresh document:
> 
> https://www.ietf.org/rfcdiff?url2=draft-ietf-openpgp-crypto-refresh-02
> 
> I've also pushed the git changes to https://gitlab.com/openpgp-wg/rfc4880bis
> 
> 
> The commit on white space changes was reverted, as the WG will be
> re-opening that discussion later once we have all the consensus
> items from the previous 4880bis discussion re-published in this
> document.
> 
> The following items were merged in:
> 
> - Produce 4-level-deep ToC
> - Reserve codepoints in the registries
> - reorganize signature and asymmetric key value fields
> - Re-flow the v3 and v4 signature descriptions
> - Incorporated RFC 6637 (ECDSA and ECDH, using NIST curves)

I noticed for v5 fingerprints we hash only the left 20 octets in the
ECDH KDF:

  20 octets representing a recipient encryption subkey or a master
  key fingerprint, identifying the key material that is needed for
  the decryption.  For version 5 keys the 20 leftmost octets of the
  fingerprint are used.

Absent a compelling reason, I'd prefer to see the entire fingerprint
used.  It doesn't make sense to define a fingerprint that's 32 octets
and then truncate it to 20 octets in some cases.  At that point, we're
relying on the collision resistance of a different algorithm, not
SHA-256, and decreasing the security level to below 128 bits.

Note that if we do this, we'll need to update the text above and below
to reflect that the sizes are not invariant.
-- 
brian m. carlson (he/him or they/them)
Houston, Texas, US