Re: [openpgp] Memory requirement for Argon2 (draft-06, sec 3.7.1.4)
Daniel Huigens <d.huigens@protonmail.com> Mon, 18 July 2022 10:22 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C722CC16ECA2 for <openpgp@ietfa.amsl.com>; Mon, 18 Jul 2022 03:22:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAcPgReGKcUL for <openpgp@ietfa.amsl.com>; Mon, 18 Jul 2022 03:22:35 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3337C13C535 for <openpgp@ietf.org>; Mon, 18 Jul 2022 03:22:35 -0700 (PDT)
Date: Mon, 18 Jul 2022 10:22:21 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1658139754; x=1658398954; bh=JAYk4HWPrh5BxpRniqQaUFJAf8WwI2KbggLFdyr5Qok=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=O1Ne5+rsaKEmGxmYIn90bYPmDPr/4Tq4tN/R7jNUsSdxYd+1rdye5Gj4klGSV4M5D PHFtoU54k2/PqrDAA+GNR2BF7VrHC7cC2r2lS/DqRSsA5pl9/Wls5MTJfyaMpcHA9y i2dmcaYVMZehyfNoVeWw9Fl8UYMo+KSI2GRSEWuPAQ54tKeTANafHdGOVrB5tnaD9H WFlSh9Urob8ZYfyk7oOHRzAYSRwwamGJEjdf3bAb1u7Zl7Za6i7ymXomBROYpa9ubp bsDKtalLjMEs2iEI7OMASNTfEHwx1WpbCJn077ZEebRKWAAxeWzWTTAFYvm/kRFRC2 4M+RZ2LHx0vJA==
To: Bruce Walzer <bwalzer@59.ca>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <21Rcis4rNky_9wwR_P8GouVhsG9epEjx8lWh2xhTnpj2eTm1iFy-t3VoPTbNULXZEzX-dnTsk0DO_91EB0pUxjQrnVZy_cDJYaXv9utxYfQ=@protonmail.com>
In-Reply-To: <YtHYPyDPY7nm5iSW@ohm.59.ca>
References: <YtHYPyDPY7nm5iSW@ohm.59.ca>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/xoLSxpCMS0G6qAMqbAzecURDO3A>
Subject: Re: [openpgp] Memory requirement for Argon2 (draft-06, sec 3.7.1.4)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2022 10:22:40 -0000
Hi Bruce, Since Argon2 is a symmetric construct, as a first assumption I think it's not unreasonable to say that the file will most likely be decrypted on the same device it was encrypted on. Of course, that won't always be the case, but if it's not it's not the end of the world, it will just be slower (or faster). In my opinion, the first recommended option should be fine, if the implementation doesn't know about the hardware that will be used to decrypt. The reason we don't standardize it is because these recommendations might change in the future. > Another thing I don't know, how much memory is required before the > memory advantage provided by Argon2 is actually effective and > helpful? Would there come a point where Argon2 provides no value > over, say, "Iterated and Salted S2K"? Argon2 is intended to provide the maximum amount of security for any given amount of computing resources. So in principle Argon2 should be more secure than Iterated+Salted S2K for any set of "equivalent" parameters. > With the current draft, an implementation generating an Argon2 value > can specify a memory requirement all the way up to 2 TB. Is this a > good idea? Or should the requirement be limited to something > reasonable? The decrypting implementation doesn't necessarily have to allocate 2TB, it can do with less, it will just be slow. If an application is decrypting files from untrusted sources, and resource usage is a concern, it might want to limit the resource usage here (similarly to how it might want to limit the file size). Also, in this scenario using asymmetric crypto seems more likely. Best, Daniel
- [openpgp] Memory requirement for Argon2 (draft-06… Bruce Walzer
- Re: [openpgp] Memory requirement for Argon2 (draf… Daniel Huigens
- Re: [openpgp] Memory requirement for Argon2 (draf… Bruce Walzer
- Re: [openpgp] Memory requirement for Argon2 (draf… Daniel Huigens
- Re: [openpgp] Memory requirement for Argon2 (draf… Justus Winter
- Re: [openpgp] Memory requirement for Argon2 (draf… Bruce Walzer
- Re: [openpgp] Memory requirement for Argon2 (draf… Daniel Huigens
- Re: [openpgp] Memory requirement for Argon2 (draf… Werner Koch