ietf-openpgp
[Top] [All Lists]

Re: [openpgp] v5 fingerprints in ECDH

2021-02-28 11:15:31
On Sat, 27 Feb 2021, brian m. carlson wrote:

I noticed for v5 fingerprints we hash only the left 20 octets in the
ECDH KDF:

 20 octets representing a recipient encryption subkey or a master
 key fingerprint, identifying the key material that is needed for
 the decryption.  For version 5 keys the 20 leftmost octets of the
 fingerprint are used.

Absent a compelling reason, I'd prefer to see the entire fingerprint
used.  It doesn't make sense to define a fingerprint that's 32 octets
and then truncate it to 20 octets in some cases.  At that point, we're
relying on the collision resistance of a different algorithm, not
SHA-256, and decreasing the security level to below 128 bits.

Note that if we do this, we'll need to update the text above and below
to reflect that the sizes are not invariant.

I think whether or not this change can still be made depends on what has
already been implemented. That is, are we describing what is already out
there, or is this something new. If it is new, than this issue is worth
getting consensus on.

Can implementors share some light on this?

Does anyone remember the origin of only using 20 octets and not all
octets?

Paul

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp