ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Pull request for AEAD encrypted data packet with GCM

2017-02-13 19:10:13

On Feb 12, 2017, at 5:06 PM, brian m. carlson 
<sandals(_at_)crustytoothpaste(_dot_)net> wrote:

I've opened a pull request that defines an AEAD encrypted data packet
using GCM.  This work is necessarily incomplete, because it doesn't
define a new version of the symmetrically-encrypted data packet, which
we'd want, and it doesn't define a new encoding for the secret key
packet.

GCM seems to be the uncontroversial choice here.  It's used in TLS and
other protocols, and it provides adequate security.  It isn't encumbered
by patents.  It performs reasonably well.

Other alternatives include OCB and CTR with HMAC.  I personally object
to OCB because it's patented, and while I like CTR with HMAC, it was my
impression that the rest of the working group would not share my
opinion.

While I understand that we are not interested in adding general
extensibility to the protocol, I opted to include an octet for the AEAD
algorithm in case someone wants to define OCB or something like
ChaCha20-Poly1305.  ChaCha20 cannot use GCM, but it is a popular
algorithm that performs well on many architectures and is well-suited to
embedded systems.

I've proposed this as a starting point and welcome further comments.

I'll request that another mode than GCM be used. In particular, I disagree with 
it being "uncontroversial." It's the most controversial mode you could pick.

GCM is very brittle. It breaks in very bad ways if you aren't careful with 
nonces/tags. There are many cases of people misusing it and getting worse than 
no security. I state that because if you *think* you're getting authenticated 
data, but it's actually been altered in transit, and that will likely cause 
issues in the receiving state machine.

This paper <https://eprint.iacr.org/2016/475.pdf> is all about real-world cases 
of unintentional misuse of GCM.

Furthermore, the multiply in GHASH is slow in software. Yes, there are hardware 
instructions in high-end Intel and ARM processors, but if you do it on 
lower-end processors or in something like javascript, it's a pain. If you have 
to conditionally do hardware or software, it makes implementation more 
difficult.

I think GCM is fine to use in some circumstances, like high-speed VPN boxes, 
but it's the AEAD mode that comes from ACME. If you are Wile E. Coyote it is 
going to blow up in your face.

Perhaps most rigorously, the real problem with GCM is GHASH. Anything with 
GHASH is worrisome.

Your mention of alternatives was incomplete, so I'll bring alternatives up.

We all really want to use OCB. If you look at 
<http://web.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm> which is Rogaway's page on 
it. While it is patented, there are some broad license grants. There's one for 
open source software, as well as one for non-military software. He's also given 
one OpenSSL. I'll bet that if someone asked him for a grant for the OpenPGP 
protocol, he'd probably do it. As it is, the large-swath grants for it (open 
source, and non-military) suggest that we could either say that's good enough 
for us or ask for another grant. But if we don't want to, we don't want to. OCB 
is the mode everyone really wants to use, but I don't want get wrapped around 
the axle on the controversy here, either.

Beyond OCB, though, there are a lot of alternatives:

* CCM. CCM has been my go-to for AEAD in many cases. It is easy to understand 
and works well. It is easy to get right. I think that this is an important 
property, being easy to get right. Its major disadvantage, being a two-pass 
algorithm, is not that bad for OpenPGP because we have streaming packets in the 
core protocol. Nonetheless, Rogaway's own paper about it (see the OCB link 
above for it) is not a bad paper, but remember that Rogaway is arguing against 
CCM in favor of either OCB or his own EAX.

* ChaCha20+Poly1305. Many of the cool kids are using it. It's fast, reasonably 
okay to implement, it's in TLS 1.3, and wouldn't be a bad choice. The major 
criticism I can see is that ChaCha20 is a stream cipher not a streaming mode on 
a block cipher (like AES or Twofish or whatever). I think most of the 
legitimate criticisms of it are blunted by its being used a lot in the TLS 
world.

* SIV. SIV is another Rogaway mode, it's unencumbered, has resistance to 
misuse, and I can't think of anything bad to say about it other than a plea not 
to use the GCM version because GHASH. Many cool kids are using it.

* EAX. I tend to discount EAX because it's not OCB, not CCM (which was created 
to be Not OCB), and not SIV. I wouldn't scream, though. I just think that in 
this day, it doesn't have an advantage over any non-GCM AEAD thing.

* CTR+HMAC. Like you, I mention it for completeness. But while I think that any 
of the above would be better, I think it is again better than GCM. It's not 
sexy but it works, and it's harder to screw up than many things.

So to sum up, I think that GCM is actually controversial and dangerous for 
generic use.

        Jon

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp