Internet DRAFT - draft-huigens-openpgp-persistent-symmetric-keys

draft-huigens-openpgp-persistent-symmetric-keys







Network Working Group                                    D. Huigens, Ed.
Internet-Draft                                                 Proton AG
Updates: 4880 (if approved)                               3 January 2024
Intended status: Standards Track                                        
Expires: 6 July 2024


                  Persistent Symmetric Keys in OpenPGP
           draft-huigens-openpgp-persistent-symmetric-keys-02

Abstract

   This document defines new algorithms for the OpenPGP standard
   (RFC4880) to support persistent symmetric keys, for message
   encryption using authenticated encryption with additional data (AEAD)
   and for authentication with hash-based message authentication codes
   (HMAC).  This enables the use of symmetric cryptography for data
   storage (and other contexts that do not require asymmetric
   cryptography), for improved performance, smaller keys, and improved
   resistance to quantum computing.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://twisstle.gitlab.io/openpgp-persistent-symmetric-keys/.
   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-huigens-openpgp-persistent-
   symmetric-keys/.

   Discussion of this document takes place on the OpenPGP Working Group
   mailing list (mailto:openpgp@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/openpgp/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/openpgp/.

   Source for this draft and an issue tracker can be found at
   https://gitlab.com/twisstle/openpgp-persistent-symmetric-keys.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.



Huigens                    Expires 6 July 2024                  [Page 1]

Internet-Draft    Persistent Symmetric Keys in OpenPGP      January 2024


   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 6 July 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   3
   3.  Motivation  . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Reusing and Renaming Packets  . . . . . . . . . . . . . . . .   4
   5.  Persistent Symmetric Key Algorithms . . . . . . . . . . . . .   4
     5.1.  Algorithm-Specific Fields for AEAD keys . . . . . . . . .   5
     5.2.  Algorithm-Specific Fields for HMAC keys . . . . . . . . .   6
     5.3.  Algorithm-Specific Fields for AEAD encryption . . . . . .   6
     5.4.  Algorithm-Specific Fields for HMAC signatures . . . . . .   6
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
     7.1.  Updates to Public Key Algorithms  . . . . . . . . . . . .   7
     7.2.  Updates to Packet Type Descriptions . . . . . . . . . . .   7
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8










Huigens                    Expires 6 July 2024                  [Page 2]

Internet-Draft    Persistent Symmetric Keys in OpenPGP      January 2024


1.  Introduction

   The OpenPGP standard [RFC4880] has supported symmetric encryption for
   data packets using session keys since its inception, as well as
   symmetric encryption using password-derived keys.  This document
   extends the use of symmetric cryptography by adding support for
   persistent symmetric keys which can be stored in a transferable
   private key, and used to symmetrically encrypt session keys, for
   long-term storage and archival of messages.  This document uses
   authenticated encryption with associated data (AEAD) as proposed by
   the OpenPGP crypto refresh [crypto-refresh].

   The OpenPGP standard also supports the use of digital signatures for
   authentication and integrity but no similar symmetric mechanism
   exists in the standard.  This document introduces hash-based message
   authentication codes (HMAC) as a symmetric counterpart to digital
   signatures, for long-term storage and archival of attestations of
   authenticity and certification.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].  Any
   implementation that adheres to the format and methods specified in
   this document is called a compliant application.  Compliant
   applications are a subset of the broader set of OpenPGP applications
   described in [RFC4880] and the OpenPGP crypto refresh
   [crypto-refresh].  Any [RFC2119] keyword within this document applies
   to compliant applications only.

3.  Motivation

   When compared to asymmetric cryptography, symmetric cryptography can
   provide improved performance and equivalent security with smaller
   keys.  In contexts that do not require asymmetric cryptography, such
   as secure data storage where the same user encrypts and decrypts
   data, symmetric cryptography can be used to take advantage of these
   benefits.

   Additionally, asymmetric algorithms included in OpenPGP are
   vulnerable to attacks that might become possible on quantum computers
   [Shor].  Symmetric cryptography is also affected by quantum computing
   but to a lesser extent, which can be countered by using larger keys
   [Grover].  While the standardization of quantum-secure asymmetric
   cryptography in OpenPGP is ongoing [PQCinOpenPGP], and will be
   required to secure communications, there is a large body of existing
   messages encrypted with classical algorithms.  Once persistent



Huigens                    Expires 6 July 2024                  [Page 3]

Internet-Draft    Persistent Symmetric Keys in OpenPGP      January 2024


   symmetric keys are available, these messages can be protected against
   future compromises efficiently by symmetrically re-encrypting the
   session key, and storing the message symmetrically encrypted for
   long-term storage and archival.

4.  Reusing and Renaming Packets

   Rather than introducing new packets for storing persistent symmetric
   keys, the existing Secret-Key packets are reused for this purpose.
   To indicate the type of keys, two algorithms (AEAD and HMAC) are
   registered, whose IDs can be used in the place of public-key
   algorithm IDs.  To accommodate these additions, we propose renaming
   the Public Key Algorithms registry to Persistent Key Algorithms.

   Similarly, we reuse the Signature packet for "symmetric signatures".
   For session keys encrypted with persistent symmetric keys, while a
   Symmetric-Key Encrypted Session Key packet exists, its semantics
   don't match our requirements, as it's intended to encrypt the session
   key with a user-provided password, and doesn't offer a way to store a
   reference to a persistent key.  Therefore, we reuse the Public-Key
   Encrypted Session Key packet instead, which does offer the desired
   semantics.  Nevertheless, given this usage, the naming of these
   packets may be confusing, so we propose to rename them to "String-to-
   Key Encrypted Session Key packet" and "Persistent Key Encrypted
   Session Key packet", instead.

5.  Persistent Symmetric Key Algorithms

   This document defines two new algorithms for use with OpenPGP,
   extending the table in section 9.1 of [crypto-refresh].





















Huigens                    Expires 6 July 2024                  [Page 4]

Internet-Draft    Persistent Symmetric Keys in OpenPGP      January 2024


   +==+===========+===========+==========+================+============+
   |ID| Algorithm | Public    | Secret   | Signature      | PKESK      |
   |  |           | Key       | Key      | Format         | Format     |
   |  |           | Format    | Format   |                |            |
   +==+===========+===========+==========+================+============+
   |64| AEAD      | sym.      | hash     | N/A            | AEAD algo, |
   |  |           | algo,     | seed,    |                | IV,        |
   |  |           | seed      | key      |                | length,    |
   |  |           | hash      | material |                | ciphertext |
   |  |           | [Section  |          |                | [Section   |
   |  |           | 5.1]      |          |                | 5.3]       |
   +--+-----------+-----------+----------+----------------+------------+
   |65| HMAC      | hash      | hash     | authentication | N/A        |
   |  | [RFC2104] | algo,     | seed,    | tag            |            |
   |  |           | seed      | key      | [Section 5.4]  |            |
   |  |           | hash      | material |                |            |
   |  |           | [Section  |          |                |            |
   |  |           | 5.2]      |          |                |            |
   +--+-----------+-----------+----------+----------------+------------+

         Table 1: Persistent Symmetric Key Algorithm registrations

   These algorithm IDs can be used to store symmetric key material in
   Secret-Key Packets and Secret-Subkey packets (see section 5.5.3 of
   [crypto-refresh]).  The AEAD algorithm ID can be used to store
   session keys encrypted using AEAD in PKESK packets (see section 5.1
   of [crypto-refresh]).  The HMAC algorithm ID can be used to store
   HMAC-based signatures in Signature packets (see section 5.2 of
   [crypto-refresh]).

   As the secret key material is required for all cryptographic
   operations with symmetric keys, implementations SHOULD NOT use these
   algorithm IDs in Public-Key Packets or Public-Subkey Packets, and
   SHOULD NOT export Public-Key Packets from Secret-Key Packets holding
   symmetric key material.

5.1.  Algorithm-Specific Fields for AEAD keys

   The public key is this series of values:

   *  A one-octet symmetric algorithm identifier (see section 9.3 of
      [crypto-refresh])

   *  A 32-octet SHA-256 hash of the seed in the private key material

   The private key is this series of values:

   *  A 32-octet seed value to be hashed for the public key material



Huigens                    Expires 6 July 2024                  [Page 5]

Internet-Draft    Persistent Symmetric Keys in OpenPGP      January 2024


   *  Symmetric key material of appropriate length for the chosen
      symmetric algorithm

5.2.  Algorithm-Specific Fields for HMAC keys

   The public key is this series of values:

   *  A one-octet hash algorithm identifier (see section 9.5 of
      [crypto-refresh])

   *  A 32-octet SHA-256 hash of the seed in the private key material

   The private key is this series of values:

   *  A 32-octet seed value to be hashed for the public key material

   *  Symmetric key material of the length of the hash output size of
      the chosen hash algorithm

5.3.  Algorithm-Specific Fields for AEAD encryption

   *  A one-octet AEAD algorithm (see section 9.6 of [crypto-refresh])

   *  A starting initialization vector of size specified by AEAD mode

   *  A one-octet length of the following field

   *  A symmetric key encryption of the plaintext value described in
      section 5.1 of [crypto-refresh], performed using the selected
      symmetric-key cipher operating in the given AEAD mode, including
      the authentication tag.

5.4.  Algorithm-Specific Fields for HMAC signatures

   *  An authentication tag of appropriate length for the hash algorithm

   Although not required by HMAC, to maintain compatibility with
   existing signature implementations, HMAC tags are produced from
   appropriately hashed data, as per section 5.2.4 of [crypto-refresh].

6.  Security Considerations

   Security considerations are discussed throughout the document where
   appropriate.







Huigens                    Expires 6 July 2024                  [Page 6]

Internet-Draft    Persistent Symmetric Keys in OpenPGP      January 2024


7.  IANA Considerations

7.1.  Updates to Public Key Algorithms

   IANA is requested to rename the "Public Key Algorithms" registry to
   "Persistent Key Algorithms", and add the entries in Table 1 to the
   registry.

7.2.  Updates to Packet Type Descriptions

   IANA is requested to modify the "PGP Packet Types/Tags" registry as
   follows:

   *  For Packet Tag 1 ("Public-Key Encrypted Session Key Packet"),
      change the Packet Type to "Persistent Key Encrypted Session Key
      Packet".

   *  For Packet Tag 3 ("Symmetric-Key Encrypted Session Key Packet"),
      change the Packet Type to "String-to-Key Encrypted Session Key
      Packet".

8.  Acknowledgements

   An initial version of this draft was written by Dan Ristea (Proton
   AG), with guidance from Dr Philipp Jovanovic (University College
   London).

9.  References

9.1.  Normative References

   [crypto-refresh]
              Wouters, P., Huigens, D., Winter, J., and N. Yutaka,
              "OpenPGP", October 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-
              crypto-refresh-12>.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              DOI 10.17487/RFC2104, February 1997,
              <https://www.rfc-editor.org/info/rfc2104>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.





Huigens                    Expires 6 July 2024                  [Page 7]

Internet-Draft    Persistent Symmetric Keys in OpenPGP      January 2024


   [RFC4880]  Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
              Thayer, "OpenPGP Message Format", RFC 4880,
              DOI 10.17487/RFC4880, November 2007,
              <https://www.rfc-editor.org/info/rfc4880>.

9.2.  Informative References

   [Grover]   Grover, L., "Quantum mechanics helps in searching for a
              needle in a haystack", 1997,
              <https://arxiv.org/abs/quant-ph/9706033>.

   [PQCinOpenPGP]
              Kousidis, S., Strenzke, F., and A. Wussler, "Post-Quantum
              Cryptography in OpenPGP", October 2023,
              <https://datatracker.ietf.org/doc/html/draft-wussler-
              openpgp-pqc-03>.

   [Shor]     Shor, P., "Polynomial-Time Algorithms for Prime
              Factorization and Discrete Logarithms on a Quantum
              Computer", October 1997,
              <http://dx.doi.org/10.1137/S0097539795293172>.

Author's Address

   Daniel Huigens (editor)
   Proton AG
   Route de la Galaise 32
   CH-1228 Plan-les-Ouates
   Switzerland
   Email: d.huigens@protonmail.com





















Huigens                    Expires 6 July 2024                  [Page 8]