ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] [PATCH] Updated S2K

2019-04-09 01:11:03
from [Werner Koch] [Permanent Link] 
On Mon,  8 Apr 2019 22:14, 
ndurner=40googlemail(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org said:

            3  Iterated and Salted S2K
+           4  Argon2i


I do not think that adding a new S2K algorithm is useful:

The major use cases for OpenPGP are public key operations.  Here we do
not require an S2K algorithm at all.  The S2K is used for the
Transferable Secret Keys which should be a operations performed with
all due diligence: It is better to use a secure channel and best a
symmetric encryption based on a full entropy key.  Without a pairing
algorithm it is often better to write down the key and employ a courier
instead of relying on a weak passphrase and resource intensive KDF.  The
KDF would anyway be needed to be parametrized in a way that it can be
used for export or import on a low end machine.  This is a case by case
decision and we would be better off to not extend the Transferable
Secret Keys format with new methods but use the existing OpenPGP
symmetric key formats.

The other use for an S2K is symmetric encryption.  OpenPGP has only
basic support for this and does not provide any key management functions
for this.  Eventual we will need to add such functions to OpenPGP to
make symmetric encryption a first class citizen of OpenPGP.  Right now
the secure choice you have is to use a full-entropy passphrase and store
it in a separate symmetric key database.  In fact this is a real world
use case of gpg.  I doubt that a Argon2i is in any way helpful here
because it convoys the message that a low-entropy passphrase along with
a resource hungry KDF is an alternative for a secure passphrase.


-Implementations SHOULD use salted or iterated-and-salted S2K
-specifiers, as simple S2K specifiers are more vulnerable to dictionary
-attacks.
+Implementations MUST generate S2K specifiers that include salts
+(either type 1, 3 or 4), as simple S2K specifiers are more vulnerable to


The SHOULD is there for a reason: Taking a full-entropy passphrase out
of a database does not require any salt.  It even demands the fastest
KDF we can provide.  This has been discussed in the past.


+      <reference anchor='Argon2i'
+     
target='https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-04'>


This is not a useful reference:

   It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver, Phil Pennock
Next by Date:  Re: [openpgp] [PATCH] Updated S2K, Peter Gutmann
Previous by Thread:  [openpgp] [PATCH] Updated S2K, Nils Durner
Next by Thread:  Re: [openpgp] [PATCH] Updated S2K, Peter Gutmann
Indexes:  [Date] [Thread] [Top] [All Lists]