Network Working Group D. Huigens, Ed.
Internet-Draft Proton AG
Updates: 4880 (if approved) 7 July 2023
Intended status: Standards Track
Expires: 8 January 2024
Persistent Symmetric Keys in OpenPGP
draft-huigens-openpgp-persistent-symmetric-keys-00
Abstract
This document defines new algorithms for the OpenPGP standard
(RFC4880) to support persistent symmetric keys, for message
encryption using authenticated encryption with additional data (AEAD)
and for authentication with hash-based message authentication codes
(HMAC). This enables the use of symmetric cryptography for data
storage (and other contexts that do not require asymmetric
cryptography), for improved performance, smaller keys, and improved
resistance to quantum computing.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://twisstle.gitlab.io/openpgp-persistent-symmetric-keys/.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-huigens-openpgp-persistent-
symmetric-keys/.
Discussion of this document takes place on the OpenPGP Working Group
mailing list (mailto:openpgp@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/openpgp/. Subscribe at
https://www.ietf.org/mailman/listinfo/openpgp/.
Source for this draft and an issue tracker can be found at
https://gitlab.com/twisstle/openpgp-persistent-symmetric-keys.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Huigens Expires 8 January 2024 [Page 1]
�
Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 8 January 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Persistent Symmetric Key Algorithms . . . . . . . . . . . . . 4
4.1. Algorithm-Specific Fields for AEAD keys . . . . . . . . . 5
4.2. Algorithm-Specific Fields for HMAC keys . . . . . . . . . 5
4.3. Algorithm-Specific Fields for AEAD encryption . . . . . . 5
4.4. Algorithm-Specific Fields for HMAC signatures . . . . . . 6
5. Other Changes . . . . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7.1. Additions to Public-Key Algorithms . . . . . . . . . . . 6
7.2. Modifications to Packet Type Descriptions . . . . . . . . 6
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
Huigens Expires 8 January 2024 [Page 2]
�
Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023
1. Introduction
The OpenPGP standard [RFC4880] has supported symmetric encryption for
data packets using session keys since its inception, as well as
symmetric encryption using password-derived keys. This document
extends the use of symmetric cryptography by adding support for
persistent symmetric keys which can be stored in a transferable
private key, and used to symmetrically encrypt session keys, for
long-term storage and archival of messages. This document uses
authenticated encryption with associated data (AEAD) as proposed by
the OpenPGP crypto refresh [crypto-refresh].
The OpenPGP standard also supports the use of digital signatures for
authentication and integrity but no similar symmetric mechanism
exists in the standard. This document introduces hash-based message
authentication codes (HMAC) as a symmetric counterpart to digital
signatures, for long-term storage and archival of attestations of
authenticity and certification.
Rather than introducing new packets for storing persistent symmetric
keys, the existing Secret-Key packets are reused for this purpose.
To indicate the type of keys, two "Public-Key Algorithms" (AEAD and
HMAC) are registered, with IDs 64 and 65.
Similarly, we reuse the Signature packet for "symmetric signatures".
For session keys encrypted with persistent symmetric keys, while a
"Symmetric-Key Encrypted Session Key packet" exists, its semantics
don't match our goals, as it's intended to encrypt the session key
with a user-provided password, and doesn't offer a way to store a
reference to a persistent key. Therefore, we reuse the "Public-Key
Encrypted Session Key packet" instead, which does offer the desired
semantics. Nevertheless, given this usage, the naming of these
packets may be confusing, so we propose to rename them to "Password
Encrypted Session Key packet" and "Key Encrypted Session Key packet",
instead.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. Any
implementation that adheres to the format and methods specified in
this document is called a compliant application. Compliant
applications are a subset of the broader set of OpenPGP applications
described in [RFC4880] and the OpenPGP crypto refresh
[crypto-refresh]. Any [RFC2119] keyword within this document applies
to compliant applications only.
Huigens Expires 8 January 2024 [Page 3]
�
Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023
3. Motivation
When compared to asymmetric cryptography, symmetric cryptography can
provide improved performance and equivalent security with smaller
keys. In contexts that do not require asymmetric cryptography, such
as secure data storage where the same user encrypts and decrypts
data, symmetric cryptography can be used to take advantage of these
benefits.
Additionally, asymmetric algorithms included in OpenPGP are
vulnerable to attacks that might become possible on quantum computers
[Shor]. Symmetric cryptography is also affected by quantum computing
but to a lesser extent, which can be countered by using larger keys
[Grover]. While the standardization of quantum-secure asymmetric
cryptography in OpenPGP is ongoing [PQCinOpenPGP], and will be
required to secure communications, there is a large body of existing
messages encrypted with classical algorithms. Once persistent
symmetric keys are available, these messages can be protected against
future compromises efficiently by symmetrically re-encrypting the
session key, and storing the message symmetrically encrypted for
long-term storage and archival.
4. Persistent Symmetric Key Algorithms
This document defines two new "public-key algorithms" for use with
OpenPGP, extending the table in section 9.1 of [RFC4880].
+==+================+=========+========+================+===========+
|ID| Algorithm |Public |Secret | Signature |PKESK |
| | |Key |Key | Format |Format |
| | |Format |Format | | |
+==+================+=========+========+================+===========+
|64| Authenticated |sym. |hash | N/A |AEAD algo, |
| | Encryption |algo, |seed, | |IV, |
| | with |seed hash|key | |length, |
| | Associated |[Section |material| |ciphertext |
| | Data |4.1] | | |[Section |
| | | | | |4.3] |
+--+----------------+---------+--------+----------------+-----------+
|65| Hash-based |hash |hash | authentication |N/A |
| | Message |algo, |seed, | tag | |
| | Authentication |seed hash|key | | |
| | Code [RFC2104] |[Section |material| | |
| | |4.2] | | | |
+--+----------------+---------+--------+----------------+-----------+
Table 1: Extension to the public-key algorithm registry
Huigens Expires 8 January 2024 [Page 4]
�
Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023
These algorithm IDs can be used in Secret-Key Packets and Secret-
Subkey Packets to hold symmetric key material, in Public-Key
Encrypted Session Key Packets (for AEAD) to hold session keys
encrypted using AEAD, and in Signature Packets (for HMAC) to store
HMAC-based signatures.
As the secret key material is required for all cryptographic
operations with symmetric keys, implementations SHOULD NOT use these
algorithm IDs in Public-Key Packets or Public-Subkey Packets, and
SHOULD NOT export Public-Key Packets from Secret-Key Packets holding
symmetric key material.
4.1. Algorithm-Specific Fields for AEAD keys
The public key is this series of values:
* A one-octet symmetric algorithm identifier (see section 9.3 of
[crypto-refresh])
* A 32-octet SHA-256 hash of the seed in the private key material
The private key is this series of values:
* A 32-octet seed value to be hashed for the public key material
* Symmetric key material of appropriate length for the chosen
symmetric algorithm
4.2. Algorithm-Specific Fields for HMAC keys
The public key is this series of values:
* A one-octet hash algorithm identifier (see section 9.5 of
[crypto-refresh])
* A 32-octet SHA-256 hash of the seed in the private key material
The private key is this series of values:
* A 32-octet seed value to be hashed for the public key material
* Symmetric key material of the length of the hash output size of
the chosen hash algorithm
4.3. Algorithm-Specific Fields for AEAD encryption
* A one-octet AEAD algorithm (see section 9.6 of [crypto-refresh])
Huigens Expires 8 January 2024 [Page 5]
�
Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023
* A starting initialization vector of size specified by AEAD mode
* A one-octet length of the following field
* A symmetric key encryption of the plaintext value described in
section 5.1 of [crypto-refresh], performed using the selected
symmetric-key cipher operating in the given AEAD mode, including
the authentication tag.
4.4. Algorithm-Specific Fields for HMAC signatures
* An authentication tag of appropriate length for the hash algorithm
Although not required by HMAC, to maintain compatibility with
existing signature implementations, HMAC tags are produced from
appropriately hashed data, as per section 5.2.4 of [crypto-refresh].
5. Other Changes
To reflect the usage of symmetric algorithms, we propose to rename
Public-Key Encrypted Session Key Packet (Tag 1) to Key Encrypted
Session Key Packet (shorthand "PESK"), and rename Symmetric-Key
Encrypted Session Key Packet (Tag 3) to Password Encrypted Session
Key Packet (shorthand "SESK"). These names reflect the semantics and
intended use of the packets, as opposed to the cryptographic
algorithms used.
6. Security Considerations
Security considerations are discussed throughout the document where
appropriate.
7. IANA Considerations
7.1. Additions to Public-Key Algorithms
IANA is requested to add the entries in Section 4 to the "Public Key
Algorithms" registry.
7.2. Modifications to Packet Type Descriptions
IANA is requested to modify the "PGP Packet Types/Tags" registry as
follows:
* For Packet Tag 1 ("Public-Key Encrypted Session Key Packet"),
change the Packet Type to "Key Encrypted Session Key Packet", and
the Shorthand to "KESK".
Huigens Expires 8 January 2024 [Page 6]
�
Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023
* For Packet Tag 3 ("Symmetric-Key Encrypted Session Key Packet"),
change the Packet Type to "Password Encrypted Session Key Packet",
and the Shorthand to "PESK".
8. Acknowledgements
An initial version of this draft was written by Dan Ristea (Proton
AG), with guidance from Dr Philipp Jovanovic (University College
London).
9. References
9.1. Normative References
[crypto-refresh]
Wouters, P., Huigens, D., Winter, J., and N. Yutaka,
"OpenPGP", June 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-
crypto-refresh-10>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
Thayer, "OpenPGP Message Format", RFC 4880,
DOI 10.17487/RFC4880, November 2007,
<https://www.rfc-editor.org/info/rfc4880>.
9.2. Informative References
[Grover] Grover, L., "Quantum mechanics helps in searching for a
needle in a haystack", 1997,
<https://arxiv.org/abs/quant-ph/9706033>.
[PQCinOpenPGP]
Kousidis, S., Strenzke, F., and A. Wussler, "Post-Quantum
Cryptography in OpenPGP", March 2023,
<https://datatracker.ietf.org/doc/html/draft-wussler-
openpgp-pqc-01>.
Huigens Expires 8 January 2024 [Page 7]
�
Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023
[Shor] Shor, P., "Polynomial-Time Algorithms for Prime
Factorization and Discrete Logarithms on a Quantum
Computer", October 1997,
<http://dx.doi.org/10.1137/S0097539795293172>.
Author's Address
Daniel Huigens (editor)
Proton AG
Route de la Galaise 32
CH-1228 Plan-les-Ouates
Switzerland
Email: d.huigens@protonmail.com
Huigens Expires 8 January 2024 [Page 8]