IETF Logo Mail Archive

Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)

Werner Koch <wk@gnupg.org> Fri, 29 July 2022 12:56 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2996C157B5E for <openpgp@ietfa.amsl.com>; Fri, 29 Jul 2022 05:56:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eamAmd2Vqa_S for <openpgp@ietfa.amsl.com>; Fri, 29 Jul 2022 05:56:14 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48F90C14F737 for <openpgp@ietf.org>; Fri, 29 Jul 2022 05:56:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=O8YIPydbPviJO/BwktKO9/n69w7Of8BFjTf6mmW33Ek=; b=YV4tnzkoe6BMQn2DMKV9nFtez/ /+YM3pLxRnXGXWb+0oN4ionboxoQ+zIBTFtOOpmFGuhXcP1+9MBByfwGLyquziXMOm9M4NUob+vLa 70c9AY905x0yqeLSeKAhx5ObYVgkMpojPjh0zTvaib25UdLRri6n/YzDx/gI5geOQ4Gk=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1oHPXD-0003E8-JA for <openpgp@ietf.org>; Fri, 29 Jul 2022 14:56:07 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.92 #5 (Debian)) id 1oHPVr-0004Wq-0A; Fri, 29 Jul 2022 14:54:43 +0200
From: Werner Koch <wk@gnupg.org>
To: Justus Winter <justus@sequoia-pgp.org>
Cc: Bruce Walzer <bwalzer@59.ca>, openpgp@ietf.org
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox> <YuFc+w02FiRQmHcg@watt.59.ca> <87bktajjvq.fsf@thinkbox> <YuKpxp0/Dy1DfC19@watt.59.ca> <875yjhjg2c.fsf@thinkbox>
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Jabber-ID: wk@jabber.gnupg.org
Mail-Followup-To: Justus Winter <justus@sequoia-pgp.org>, Bruce Walzer <bwalzer@59.ca>, openpgp@ietf.org
Date: Fri, 29 Jul 2022 14:54:27 +0200
In-Reply-To: <875yjhjg2c.fsf@thinkbox> (Justus Winter's message of "Thu, 28 Jul 2022 19:35:39 +0200")
Message-ID: <87r124m64c.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=NATO_defense_information_warfare_Transportation_Security=Administrat"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/wqrvJsgZw1BfVYUcvYCBcaTa5sA>
Subject: Re: [openpgp] The Argon2 proposal seems incomplete (Draft 6)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 12:56:18 -0000

On Thu, 28 Jul 2022 19:35, Justus Winter said:
> The current SEIPv1+MDC is impossible to implement securely.  Efail, one
> of the best attacks on OpenPGP ever, is a direct consequence of that.

EFail has never been an attack on OpenPGP.  It is an attack on the
majority of todays mail clients implementations.  We have seen other
attacks which were more severe.

> whether a replacement for the SEIPv1+MDC system is needed.

CFB+MDC is a proper encryption system the we came up in 2000 with still
no known attacks.  It is slow, though.  Thus a faster and easy to
implement AE mode makes a lot of sense.  This is why we started to
deploy OCB decryption capability years ago, so that in a few years it
can replace the CFB+MDC mode.

The whole new complex "crypto-refresh" AE stuff to support the brittle
GCM is a dead end.  Well, unless you want to put OpenPGP back into the
geek-only domain.


Shalom-Salam,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein

v2.23.0 | Report a Bug | By Email