GNU bug report logs -
#57599
[PATCH] openpgp: Add support for ECDSA with NIST curves.
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Mon, 5 Sep 2022 16:10:02 UTC
Severity: normal
Tags: patch, wontfix
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 57599 in the body.
You can then email your comments to 57599 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
all_but_last <at> 163.com, 57576 <at> debbugs.gnu.org, guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Mon, 05 Sep 2022 16:10:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to
all_but_last <at> 163.com, 57576 <at> debbugs.gnu.org, guix-patches <at> gnu.org.
(Mon, 05 Sep 2022 16:10:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Fixes <https://issues.guix.gnu.org/57576>.
Reported by Zhu Zihao <all_but_last <at> 163.com>.
* guix/openpgp.scm (verify-openpgp-signature): Add case for ecdsa.
(get-signature): Likewise for PUBLIC-KEY-ECDSA.
(get-public-key): Likewise.
* tests/keys/secp384.pub, tests/keys/secp384.sec,
tests/keys/secp521.pub, tests/keys/secp521.sec: New files.
* Makefile.am (EXTRA_DIST): Add them.
* tests/openpgp.scm (%secp384-key-id, %secp384-key-fingerprint)
(%hello-signature/secp384/sha384)
(%secp521-key-id, %secp521-key-fingerprint)
(%hello-signature/secp521/sha521): New variables.
* tests/openpgp.scm ("get-openpgp-detached-signature/ascii")
("verify-openpgp-signature, good signatures")
("verify-openpgp-signature, bad signature"): Check with
the secp384 and secp521 curves.
---
Makefile.am | 4 +++
guix/openpgp.scm | 41 +++++++++++++++++++++-----
tests/keys/secp384.pub | 11 +++++++
tests/keys/secp384.sec | 12 ++++++++
tests/keys/secp521.pub | 13 +++++++++
tests/keys/secp521.sec | 14 +++++++++
tests/openpgp.scm | 66 +++++++++++++++++++++++++++++++++++-------
7 files changed, 143 insertions(+), 18 deletions(-)
create mode 100644 tests/keys/secp384.pub
create mode 100644 tests/keys/secp384.sec
create mode 100644 tests/keys/secp521.pub
create mode 100644 tests/keys/secp521.sec
diff --git a/Makefile.am b/Makefile.am
index a0c4e941c1..71c3bd4a98 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -702,6 +702,10 @@ EXTRA_DIST += \
tests/keys/ed25519-2.sec \
tests/keys/ed25519-3.pub \
tests/keys/ed25519-3.sec \
+ tests/keys/secp384.pub \
+ tests/keys/secp384.sec \
+ tests/keys/secp521.pub \
+ tests/keys/secp521.sec \
build-aux/config.rpath \
bootstrap \
doc/build.scm \
diff --git a/guix/openpgp.scm b/guix/openpgp.scm
index 9de7feb644..b999c30474 100644
--- a/guix/openpgp.scm
+++ b/guix/openpgp.scm
@@ -1,6 +1,6 @@
;; -*- mode: scheme; coding: utf-8 -*-
;; Copyright © 2010, 2012 Göran Weinholt <goran <at> weinholt.se>
-;; Copyright © 2020 Ludovic Courtès <ludo <at> gnu.org>
+;; Copyright © 2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
;; Permission is hereby granted, free of charge, to any person obtaining a
;; copy of this software and associated documentation files (the "Software"),
@@ -290,7 +290,7 @@ (define PUBLIC-KEY-RSA-SIGN-ONLY 3)
(define PUBLIC-KEY-ELGAMAL-ENCRYPT-ONLY 16)
(define PUBLIC-KEY-DSA 17)
(define PUBLIC-KEY-ECDH 18) ;RFC-6637
-(define PUBLIC-KEY-ECDSA 19) ;RFC-6639
+(define PUBLIC-KEY-ECDSA 19) ;RFC-6637
(define PUBLIC-KEY-ELGAMAL 20) ;encrypt + sign (legacy)
(define PUBLIC-KEY-EDDSA 22) ;"not yet assigned" says GPG
@@ -298,6 +298,7 @@ (define (public-key-algorithm id)
(cond ((= id PUBLIC-KEY-RSA) 'rsa)
((= id PUBLIC-KEY-DSA) 'dsa)
((= id PUBLIC-KEY-ELGAMAL-ENCRYPT-ONLY) 'elgamal)
+ ((= id PUBLIC-KEY-ECDSA) 'ecdsa)
((= id PUBLIC-KEY-EDDSA) 'eddsa)
(else id)))
@@ -564,10 +565,16 @@ (define (check key sig)
;; See "(gcrypt) Cryptographic Functions".
(sexp->canonical-sexp
(if (eq? key-type 'ecc)
- `(data
- (flags eddsa)
- (hash-algo sha512)
- (value ,hash))
+ (match (openpgp-signature-public-key-algorithm sig)
+ ('eddsa
+ `(data
+ (flags eddsa)
+ (hash-algo sha512)
+ (value ,hash)))
+ ('ecdsa
+ `(data
+ (hash-algo ,(openpgp-signature-hash-algorithm sig))
+ (value ,hash))))
`(data
(flags ,(match key-type
('rsa 'pkcs1)
@@ -615,7 +622,8 @@ (define (get-sig p pkalg)
(string->canonical-sexp
(format #f "(sig-val (dsa (r #~a#) (s #~a#)))"
(->hex r) (->hex s)))))
- ((= pkalg PUBLIC-KEY-EDDSA)
+ ((or (= pkalg PUBLIC-KEY-EDDSA)
+ (= pkalg PUBLIC-KEY-ECDSA))
(print "EdDSA signature")
(let ((r (get-mpi/bytevector p))
(s (get-mpi/bytevector p)))
@@ -630,7 +638,8 @@ (define (bytevector->hex bv)
str)))
(string->canonical-sexp
- (format #f "(sig-val (eddsa (r #~a#) (s #~a#)))"
+ (format #f "(sig-val (~a (r #~a#) (s #~a#)))"
+ (public-key-algorithm pkalg)
(bytevector->hex r) (bytevector->hex s)))))
(else
(list 'unsupported-algorithm
@@ -886,6 +895,22 @@ (define curve
curve
(if (eq? curve 'Curve25519) 'djb-tweak 'eddsa)
(->hex q)))))
+ ((= alg PUBLIC-KEY-ECDSA)
+ (print "Public ECDSA key")
+ (let* ((len (get-u8 p))
+ (oid (bytevector->uint (get-bytevector-n p len)))
+ (q (get-mpi p)))
+ (define curve
+ ;; RFC 6637, Section 11.
+ (match oid
+ (#x2a8648ce3d030107 "NIST P-256")
+ (#x2b81040022 "NIST P-384")
+ (#x2b81040023 "NIST P-521")))
+
+ (string->canonical-sexp
+ (format #f "(public-key (ecc (curve \"~a\")(q #~a#)))"
+ curve
+ (->hex q)))))
(else
(list 'unsupported-algorithm ;FIXME: throw
(public-key-algorithm alg)
diff --git a/tests/keys/secp384.pub b/tests/keys/secp384.pub
new file mode 100644
index 0000000000..b90cf504e2
--- /dev/null
+++ b/tests/keys/secp384.pub
@@ -0,0 +1,11 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mG8EYxYF9RMFK4EEACIDAwTHYxcyBiiPz4ZZIkmXnVu0Yv9DHGrnbdCR6U/RT1S4
+wszaHdsSEHlPwmy3WGgTubBDOuJODf5kV/HLL7QEPsOTkIsObK+prEJO3CGpRVim
+a7nfVk2AH6D/GMkNacSXdwy0FTxleGFtcGxlQGV4YW1wbGUuY29tPoiwBBMTCQA4
+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEzLZ9Sx8EBzgp+PzwLydGMf8+
+bFsFAmMWB+sACgkQLydGMf8+bFuD3gF/SMEDQP3Bvu0yb8KxE6j8lhOiKT186wwG
+4hBsifRdEF+UHWEa7sx74tyc4R1B01FUAYC/4QqNup4EnPzQfSE3WyVvu+ja+xui
+3vppYCpUjkHzkATsLzsN98/nkZ3q3YA8/lo=
+=vIaC
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/keys/secp384.sec b/tests/keys/secp384.sec
new file mode 100644
index 0000000000..ae296dd9a1
--- /dev/null
+++ b/tests/keys/secp384.sec
@@ -0,0 +1,12 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lKQEYxYF9RMFK4EEACIDAwTHYxcyBiiPz4ZZIkmXnVu0Yv9DHGrnbdCR6U/RT1S4
+wszaHdsSEHlPwmy3WGgTubBDOuJODf5kV/HLL7QEPsOTkIsObK+prEJO3CGpRVim
+a7nfVk2AH6D/GMkNacSXdwwAAYC9iXZ9j+RWFB4rU103SCv6j68rS5Lmc7tHve9l
+B5nri/AR+OEJ61q+w6w0XO5GBBUYLrQVPGV4YW1wbGVAZXhhbXBsZS5jb20+iLAE
+ExMJADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTMtn1LHwQHOCn4/PAv
+J0Yx/z5sWwUCYxYH6wAKCRAvJ0Yx/z5sW4PeAX9IwQNA/cG+7TJvwrETqPyWE6Ip
+PXzrDAbiEGyJ9F0QX5QdYRruzHvi3JzhHUHTUVQBgL/hCo26ngSc/NB9ITdbJW+7
+6Nr7G6Le+mlgKlSOQfOQBOwvOw33z+eRnerdgDz+Wg==
+=B1Nl
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/tests/keys/secp521.pub b/tests/keys/secp521.pub
new file mode 100644
index 0000000000..077e8e7df2
--- /dev/null
+++ b/tests/keys/secp521.pub
@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mJMEYxYamRMFK4EEACMEIwQB4EqA0zTAfhLeVjkNnzvTuSYs+TUlYdDaw9mYA7Gy
+AiNvxr2F1hJi88Wxxr3YNGKx9s0yJ2Vl0dHlCLmlQAFc9MMACZKWZN68mqbYfSVf
+qJxSG5F8qbF0+dGecwY+TjM4xdaUk4d0vD13/e+r/HLYNgwKrpO2SurNZX/isfkn
+rvNSHPi0HTxleGFtcGxlLXNlY3A1MjFAZXhhbXBsZS5jb20+iNoEExMKAD4WIQQ7
+r36YQGm2cfPDEWnoSxOgtOevGwUCYxYamQIbAwUJA8JnAAULCQgHAgYVCgkICwIE
+FgIDAQIeAQIXgAAKCRDoSxOgtOevG4GUAgkBN118FBDW896Iv+2U/29Fpfni4V6D
+Vp6HTE5qAqmJUtKOOSxmDAmiJ4sinybTP4YCLQT9fmMQqrJSSY0d/hVg4fYCCQGD
+Y6iRT8KPyxhlpsVVwdiUjOd4B5JUyJj0qOudY4yveyOl6c1bdxJALMbEHV4JREEE
+1+ylYN1KRfpaQh42Zoms9Q==
+=Nru3
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/keys/secp521.sec b/tests/keys/secp521.sec
new file mode 100644
index 0000000000..663dbeaa3c
--- /dev/null
+++ b/tests/keys/secp521.sec
@@ -0,0 +1,14 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lNoEYxYamRMFK4EEACMEIwQB4EqA0zTAfhLeVjkNnzvTuSYs+TUlYdDaw9mYA7Gy
+AiNvxr2F1hJi88Wxxr3YNGKx9s0yJ2Vl0dHlCLmlQAFc9MMACZKWZN68mqbYfSVf
+qJxSG5F8qbF0+dGecwY+TjM4xdaUk4d0vD13/e+r/HLYNgwKrpO2SurNZX/isfkn
+rvNSHPgAAgkBRPFeWJ3ZROkkbV7/dF8Z4LN6hlrSHWWS2sZmKxZprQy/j48eqWZz
+6eY9IvDxfP9ATpfummdgrjexVqA3o3/wr00h/LQdPGV4YW1wbGUtc2VjcDUyMUBl
+eGFtcGxlLmNvbT6I0gQTEwoAOAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYh
+BDuvfphAabZx88MRaehLE6C0568bBQJjFhroAAoJEOhLE6C0568bQl0CCNYMV2uF
+6LA4GF8RchFQee4ZZo8aquEQ7t7a6NDBc1TbVkGLR+TWxkomEytp5EUoEEU2cNtg
+TWRvti3aZvTbEMvdAgijAGTSiO3q5kjprGu1C35oc2JWj0q66XzHEJ0aEiTMQNrz
+sJReJPQRmMnBTtzjJCmNPws/VYSEs26m36QCqePtwQ==
+=/mn1
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/tests/openpgp.scm b/tests/openpgp.scm
index 1f20466772..68439f7485 100644
--- a/tests/openpgp.scm
+++ b/tests/openpgp.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2020 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -63,7 +63,7 @@ (define %civodul-key-id #x090B11993D9AEBB5) ;civodul.pub
#|
Test keys in ./tests/keys. They were generated in a container along these lines:
- guix environment -CP --ad-hoc gnupg pinentry coreutils
+ guix shell -CP-hoc gnupg pinentry coreutils
then, within the container:
mkdir ~/.gnupg && chmod -R og-rwx ~/.gnupg
gpg --batch --passphrase '' --quick-gen-key '<example <at> example.com>' ed25519
@@ -75,6 +75,8 @@ (define %civodul-key-id #x090B11993D9AEBB5) ;civodul.pub
(define %rsa-key-id #xAE25DA2A70DEED59) ;rsa.pub
(define %dsa-key-id #x587918047BE8BD2C) ;dsa.pub
(define %ed25519-key-id #x771F49CBFAAE072D) ;ed25519.pub
+(define %secp384-key-id #x2F274631FF3E6C5B) ;secp384.pub
+(define %secp521-key-id #xE84B13A0B4E7AF1B) ;secp521.pub
(define %rsa-key-fingerprint
(base16-string->bytevector
@@ -85,6 +87,12 @@ (define %dsa-key-fingerprint
(define %ed25519-key-fingerprint
(base16-string->bytevector
(string-downcase "44D31E21AF7138F9B632280A771F49CBFAAE072D")))
+(define %secp384-key-fingerprint
+ (base16-string->bytevector
+ (string-downcase "CCB67D4B1F04073829F8FCF02F274631FF3E6C5B")))
+(define %secp521-key-fingerprint
+ (base16-string->bytevector
+ (string-downcase "3BAF7E984069B671F3C31169E84B13A0B4E7AF1B")))
�
;;; The following are detached signatures created commands like:
@@ -148,6 +156,28 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
=AE4G
-----END PGP SIGNATURE-----")
+(define %hello-signature/secp384/sha384 ;digest-algo: sha384
+ "\
+-----BEGIN PGP SIGNATURE-----
+
+iJUEABMJAB0WIQTMtn1LHwQHOCn4/PAvJ0Yx/z5sWwUCYxYIKAAKCRAvJ0Yx/z5s
+WxD2AX0QMeTHLJvJxRKTBP8O9kGMY9Nz0kzRBO0OJG2gYyxu9sZ+NAEQF01jAOXl
+ApL2zVkBgLUyyleJtR24LKxK73waLJb51TA29NXJJZ2fiRZ50u/lNfrFR3PYnK7/
+gvSkL3Ldzw==
+=+7h3
+-----END PGP SIGNATURE-----")
+
+(define %hello-signature/secp521/sha512
+ "\
+-----BEGIN PGP SIGNATURE-----
+
+iLcEABMKAB0WIQQ7r36YQGm2cfPDEWnoSxOgtOevGwUCYxYb+wAKCRDoSxOgtOev
+G+ByAgdwIBTnCtzo+lFuahhMMScXZZeTH055IOhTsXmptZaE3MaazTsUw3en8C9i
+EWiy/GDQKaJEZMP3dwN1+3tNTl/NUAIIiV/BFly9Ha/cYJG+p3LG24JoHVfJx04q
+LfSXejfMIvu33h8wjMA2tRQSlqdDylMWKThJgp6GH6svp+Zr4z+Smnw=
+=1zW0
+-----END PGP SIGNATURE-----")
+
�
(test-begin "openpgp")
@@ -193,7 +223,9 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
`(,%rsa-key-id ,%rsa-key-fingerprint rsa sha256)
`(,%ed25519-key-id ,%ed25519-key-fingerprint eddsa sha256)
`(,%ed25519-key-id ,%ed25519-key-fingerprint eddsa sha512)
- `(,%ed25519-key-id ,%ed25519-key-fingerprint eddsa sha1))
+ `(,%ed25519-key-id ,%ed25519-key-fingerprint eddsa sha1)
+ `(,%secp384-key-id ,%secp384-key-fingerprint ecdsa sha384)
+ `(,%secp521-key-id ,%secp521-key-fingerprint ecdsa sha512))
(map (lambda (str)
(let ((signature (get-openpgp-detached-signature/ascii
(open-input-string str))))
@@ -205,7 +237,9 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
%hello-signature/rsa
%hello-signature/ed25519/sha256
%hello-signature/ed25519/sha512
- %hello-signature/ed25519/sha1)))
+ %hello-signature/ed25519/sha1
+ %hello-signature/secp384/sha384
+ %hello-signature/secp521/sha512)))
(test-equal "verify-openpgp-signature, missing key"
`(missing-key ,%rsa-key-fingerprint)
@@ -221,7 +255,9 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
(good-signature ,%dsa-key-id)
(good-signature ,%ed25519-key-id)
(good-signature ,%ed25519-key-id)
- (good-signature ,%ed25519-key-id))
+ (good-signature ,%ed25519-key-id)
+ (good-signature ,%secp384-key-id)
+ (good-signature ,%secp521-key-id))
(map (lambda (key signature)
(let* ((key (search-path %load-path key))
(keyring (get-openpgp-keyring
@@ -235,18 +271,24 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
(list "tests/keys/rsa.pub" "tests/keys/dsa.pub"
"tests/keys/ed25519.pub"
"tests/keys/ed25519.pub"
- "tests/keys/ed25519.pub")
+ "tests/keys/ed25519.pub"
+ "tests/keys/secp384.pub"
+ "tests/keys/secp521.pub")
(list %hello-signature/rsa %hello-signature/dsa
%hello-signature/ed25519/sha256
%hello-signature/ed25519/sha512
- %hello-signature/ed25519/sha1)))
+ %hello-signature/ed25519/sha1
+ %hello-signature/secp384/sha384
+ %hello-signature/secp521/sha512)))
(test-equal "verify-openpgp-signature, bad signature"
`((bad-signature ,%rsa-key-id)
(bad-signature ,%dsa-key-id)
(bad-signature ,%ed25519-key-id)
(bad-signature ,%ed25519-key-id)
- (bad-signature ,%ed25519-key-id))
+ (bad-signature ,%ed25519-key-id)
+ (bad-signature ,%secp384-key-id)
+ (bad-signature ,%secp521-key-id))
(let ((keyring (fold (lambda (key keyring)
(let ((key (search-path %load-path key)))
(get-openpgp-keyring
@@ -256,7 +298,9 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
%empty-keyring
'("tests/keys/rsa.pub" "tests/keys/dsa.pub"
"tests/keys/ed25519.pub" "tests/keys/ed25519.pub"
- "tests/keys/ed25519.pub"))))
+ "tests/keys/ed25519.pub"
+ "tests/keys/secp384.pub"
+ "tests/keys/secp521.pub"))))
(map (lambda (signature)
(let ((signature (string->openpgp-packet signature)))
(let-values (((status key)
@@ -266,6 +310,8 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
(list %hello-signature/rsa %hello-signature/dsa
%hello-signature/ed25519/sha256
%hello-signature/ed25519/sha512
- %hello-signature/ed25519/sha1))))
+ %hello-signature/ed25519/sha1
+ %hello-signature/secp384/sha384
+ %hello-signature/secp521/sha512))))
(test-end "openpgp")
base-commit: aae98c297214f87eb45302863adb021078c41a6f
--
2.37.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Tue, 06 Sep 2022 11:59:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 57599 <at> debbugs.gnu.org (full text, mbox):
Hi,
ECDSA and the NIST curves (and in fact a large part of NIST’s crypto
standardization work¹) are actually considered with skepticism by some:
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Concerns
That makes me wonder whether supporting them is a good idea, after all.
Evidently they’re not widely used in OpenPGP and not supporting them
hasn’t been much of a problem, it seems. On one hand, we don’t want
Guix’s OpenPGP implementation to limit what users do with their OpenPGP
keys; on the other hand, we don’t want to encourage algorithms that
bring little to the table at best and are suspicious at worst.
What do people think?
Ludo’.
¹ https://blog.cr.yp.to/20220805-nsa.html
Information forwarded
to
guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Tue, 06 Sep 2022 15:30:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 57599 <at> debbugs.gnu.org (full text, mbox):
My opinion: Maybe NSA recommend NIST family because they know how to get
around it. But they also have to believe foreign government can't break
it easily.
--
Retrieve my PGP public key:
gpg --recv-keys 481F5EEEBA425ADC13247C76A6E672D981B8E744
Zihao
Information forwarded
to
guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Tue, 06 Sep 2022 16:11:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 57599 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 06-09-2022 13:58, Ludovic Courtès wrote:
> Hi,
>
> ECDSA and the NIST curves (and in fact a large part of NIST’s crypto
> standardization work¹) are actually considered with skepticism by some:
>
> https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Concerns
>
> That makes me wonder whether supporting them is a good idea, after all.
> Evidently they’re not widely used in OpenPGP and not supporting them
> hasn’t been much of a problem, it seems. On one hand, we don’t want
> Guix’s OpenPGP implementation to limit what users do with their OpenPGP
> keys; on the other hand, we don’t want to encourage algorithms that
> bring little to the table at best and are suspicious at worst.
>
> What do people think?
We disallow signing with SHA-1, because it is known to be vulnerable and
as there are alternatives that are considered good, even if this limits
what users can do with their OpenPGP keys.
In case of those curves, I'm not aware of any 'crytopgraphic proof' (*)
that the curves are vulnerable (unlike for SHA-1), but as noted in ¹ and
elsewhere, there are other kinds of evidence that something is wrong.
Except for the different nature of the evidence of vulnerability, it
seems about the same situation to me. As such, I don't think we should
support them (some nice error messages like 'This algorithm [...] is not
supported yet’ or ‘This algorithm [...] is (likely/known to be)
vulnerable’ would be good though!).
(*) I mean proof, like in mathematical proofs, not merely evidence.
An alternative option would be to allow the channel .guix-authorization
(of the previous commits, not the commit that is about to be verified!)
to decide what's considered a 'good algorithm' (with some defaults)
(with a field). Maybe we'll have to deprecate, say, RSA or SHA-3
eventually, it would be nice to have a migration method in place as
early as possible, to minimise the risk of some people doing a "guix
pull" from a Guix that does not support that field to a Guix or other
channel that _does_ use that field.
Zhu Zihao wrote:
> My opinion: Maybe NSA recommend NIST family because they know how to get
> around it.
If so, I believe this is an argument against allowing these curves, to
avoid a method NSA could use for attacks.
> But they also have to believe foreign government can't break
> it easily.
For people outside the US, the US (of which the NSA is an agency) _is_ a
foreign government. As Guix is not an US-specific project, I do not
think this is an argument for allowing the curves.
Greetings,
Maxime.
> Ludo’.
>
> ¹ https://blog.cr.yp.to/20220805-nsa.html
>
>
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Tue, 06 Sep 2022 20:04:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 57599 <at> debbugs.gnu.org (full text, mbox):
Hi,
(Cc’ing Andreas for extra advice.)
Maxime Devos <maximedevos <at> telenet.be> skribis:
> We disallow signing with SHA-1, because it is known to be vulnerable
> and as there are alternatives that are considered good, even if this
> limits what users can do with their OpenPGP keys.
Right, we know it’s affordable to break SHA-1 these days.
> In case of those curves, I'm not aware of any 'crytopgraphic proof'
> (*) that the curves are vulnerable (unlike for SHA-1), but as noted in
> ¹ and elsewhere, there are other kinds of evidence that something is
> wrong.
It’s different from SHA-1 though: ECDSA is not known to be vulnerable,
and AIUI we can’t tell that there’s a possibility NIST/NSA has a
backdoor as is the case for DualEC. However, the whole NIST design
process is tainted. So my understanding is that it’s really a gray
area.
> Except for the different nature of the evidence of vulnerability, it
> seems about the same situation to me. As such, I don't think we should
> support them (some nice error messages like 'This algorithm [...] is
> not supported yet’ or ‘This algorithm [...] is (likely/known to be)
> vulnerable’ would be good though!).
Yes, that we can improve. :-)
> An alternative option would be to allow the channel
> .guix-authorization (of the previous commits, not the commit that is
> about to be verified!) to decide what's considered a 'good algorithm'
> (with some defaults) (with a field). Maybe we'll have to deprecate,
> say, RSA or SHA-3 eventually, it would be nice to have a migration
> method in place as early as possible, to minimise the risk of some
> people doing a "guix pull" from a Guix that does not support that
> field to a Guix or other channel that _does_ use that field.
It’s tempting, but I’d rather avoid introducing such mechanisms to keep
things as simple as possible.
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Wed, 07 Sep 2022 10:35:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 57599 <at> debbugs.gnu.org (full text, mbox):
Hello,
Am Tue, Sep 06, 2022 at 10:02:55PM +0200 schrieb Ludovic Courtès:
> (Cc’ing Andreas for extra advice.)
well, I agree with your analysis. There is no concrete evidence that the
NIST curves may be flawed, and a general belief that not all crypto
standards of NIST are flawed or backdoored... So it makes sense to accept
the curves, but ultimately this is a political decision (and a personal
decision about which type of key a user creates).
Andreas
Information forwarded
to
guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Wed, 07 Sep 2022 11:14:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 57599 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 06-09-2022 22:02, Ludovic Courtès wrote:
>> In case of those curves, I'm not aware of any 'crytopgraphic proof'
>> (*) that the curves are vulnerable (unlike for SHA-1), but as noted in
>> ¹ and elsewhere, there are other kinds of evidence that something is
>> wrong.
> It’s different from SHA-1 though: ECDSA is not known to be vulnerable,
> and AIUI we can’t tell that there’s a possibility NIST/NSA has a
> backdoor as is the case for DualEC. However, the whole NIST design
> process is tainted. So my understanding is that it’s really a gray
> area.
In cryptography (and security), being a grey area and not known to be
vulnerable is not sufficient -- rather, there has to be a reason for
confidence that that the crypto is actually good and not-vulnerable for
a decent amount of time.
Or, in other words, in cryptography and security there is no assumption
of innocence -- rather, it starts with the assumption that anyone might
be an attacker and whoever proposes a crypto thing has to convince
others that their crypto is secure, and a communication party has to
proof to the other party that they aren't an imposter (public key
signing, with an previously agreed on key and algorithm).
Andreas wrote:
> well, I agree with your analysis. There is no concrete evidence that the
> NIST curves may be flawed, and a general belief that not all crypto
> standards of NIST are flawed or backdoored... So it makes sense to accept
> the curves, (and a personal decision about which type of key a user creates).
I followed you right until the conclusion, it appears that you are
starting from an assumption of innocence, which might explain our
different conclusions?
Also, we _do_ have concrete evidence that the curves are flawed -- the
website on the link mentions many issues in the process and it has been
shown in the past that the NSA is in the habit of subverting
communications (*).
(*) I can give some sources if you don't know of them already.
Channels are for sharing things between multiple people. The keys are
for authenticating channels. As multiple people are involved for a
channel, this seems be be a non-personal decision by definition.
Greetings,
Maxime.
[Message part 2 (text/html, inline)]
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Wed, 07 Sep 2022 12:03:03 GMT)
Full text and
rfc822 format available.
Message #26 received at 57599 <at> debbugs.gnu.org (full text, mbox):
Am Wed, Sep 07, 2022 at 01:13:25PM +0200 schrieb Maxime Devos:
> Also, we _do_ have concrete evidence that the curves are flawed -- the website
> on the link mentions many issues in the process
The website (you mean the blog by D. Bernstein?) also mentions the use of
a hash function to arrive at the parameters. Maybe I overlooked something,
but I did not find other mentions of the curves (but I did not read the
page from A to Z).
> past that the NSA is in the habit of subverting communications.
But this is not concrete evidence that these curves are flawed.
As far as is publicly known, there are a few weak (and sparse) classes
of insecure elliptic curves, and the NIST curves do not belong to them.
So the only way these curves could be flawed is that there is an unknown
class of insecure curves, where the insecurity is known by the NSA.
Then if this class is sufficiently dense, one could start with a random
seed, hash the seed, and repeat until one obtains a weak instance;
see this link by a well-known cryptologist
https://miracl.com/blog/backdoors-in-nist-elliptic-curves/
and the link given there (to another post by Bernstein).
This is possible, but speculation instead of evidence.
Newer constructions are better, but not perfect; optimally one would want
a process of "generation of public random numbers" as described here:
https://eprint.iacr.org/2015/366
> Channels are for sharing things between multiple people. The keys are for
> authenticating channels. As multiple people are involved for a channel, this
> seems be be a non-personal decision by definition.
I said "political", which fits well the setting of multiple people involved.
And I meant this in opposition to "scientific", given the lack of evidence
against the NIST curves.
Andreas
Information forwarded
to
guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Wed, 07 Sep 2022 12:52:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 57599 <at> debbugs.gnu.org (full text, mbox):
Hi,
Thanks a lot for the explanations, Andreas!
As you write, the decision will be “political” as there’s no scientific
evidence to guide us.
I’d like to see what other free software OpenPGP implementors decided
(primarily Sequoia; GnuPG/Libgcrypt implement them).
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#57599; Package
guix-patches.
(Wed, 07 Sep 2022 15:32:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 57599 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Wed, 07 Sep 2022 at 14:51, Ludovic Courtès <ludo <at> gnu.org> wrote:
> I’d like to see what other free software OpenPGP implementors decided
> (primarily Sequoia; GnuPG/Libgcrypt implement them).
Maybe related <https://sequoia-pgp.org/status/>.
Cheers,
simon
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Sat, 24 Sep 2022 09:54:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ludovic Courtès <ludo <at> gnu.org>:
bug acknowledged by developer.
(Sat, 24 Sep 2022 09:54:02 GMT)
Full text and
rfc822 format available.
Message #37 received at 57599-done <at> debbugs.gnu.org (full text, mbox):
Hi!
All things considered, I prefer to drop this patch. In the unlikely
event that we’ll get more requests to support these curves, we can
always revisit the issue.
What we should do, though, is improve error reporting in case an
unsupported curve or algorithm is encountered.
Thanks,
Ludo’.
Added tag(s) wontfix.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Sat, 24 Sep 2022 13:04:03 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 23 Oct 2022 11:24:15 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 178 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.