OpenPGP
draft-ietf-openpgp-crypto-refresh-13
| Document | Type | Active Internet-Draft (openpgp WG) | |
|---|---|---|---|
| Authors | Paul Wouters , Daniel Huigens , Justus Winter , Niibe Yutaka | ||
| Last updated | 2024-01-29 (Latest revision 2024-01-04) | ||
| Replaces | draft-ietf-openpgp-rfc4880bis | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | Proposed Standard | ||
| Formats | |||
| Reviews |
GENART Last Call review
(of
-12)
by Linda Dunbar
Ready w/nits
|
||
| Additional resources |
GOpenPGP: implementation in Go
OpenPGP.js: implementation in Javascript PGPainless: implementation in Java PGPy: implementation in Python Sequoia: implementation in Rust Mailing list discussion |
||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Stephen Farrell | ||
| Shepherd write-up | Show Last changed 2023-06-23 | ||
| IESG | IESG state | RFC Ed Queue | |
| Action Holders |
(None)
|
||
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | Roman Danyliw | ||
| Send notices to | stephen.farrell@cs.tcd.ie | ||
| IANA | IANA review state | IANA OK - Actions Needed | |
| IANA action state | RFC-Ed-Ack | ||
| RFC Editor | RFC Editor state | EDIT | |
| Details |
draft-ietf-openpgp-crypto-refresh-13
Internet-Draft OpenPGP January 2024 -----BEGIN PGP MESSAGE----- Comment: Encrypted using AES with 128-bit key Comment: Session key: 01FE16BBACFD1E7B78EF3B865187374F wycEBwScUvg8J/leUNU1RA7N/zE2AQQVnlL8rSLPP5VlQsunlO+ECxHSPgGYGKY+ YJz4u6F+DDlDBOr5NRQXt/KJIf4m4mOlKyC/uqLbpnLJZMnTq3o79GxBTdIdOzhH XfA3pqV4mTzF -----END PGP MESSAGE----- A.12.2. Version 4 SKESK using Argon2 with AES-192 -----BEGIN PGP MESSAGE----- Comment: Encrypted using AES with 192-bit key Comment: Session key: 27006DAE68E509022CE45A14E569E91001C2955... Comment: Session key: ...AF8DFE194 wy8ECAThTKxHFTRZGKli3KNH4UP4AQQVhzLJ2va3FG8/pmpIPd/H/mdoVS5VBLLw F9I+AdJ1Sw56PRYiKZjCvHg+2bnq02s33AJJoyBexBI4QKATFRkyez2gldJldRys LVg77Mwwfgl2n/d572WciAM= -----END PGP MESSAGE----- A.12.3. Version 4 SKESK using Argon2 with AES-256 -----BEGIN PGP MESSAGE----- Comment: Encrypted using AES with 256-bit key Comment: Session key: BBEDA55B9AAE63DAC45D4F49D89DACF4AF37FEF... Comment: Session key: ...C13BAB2F1F8E18FB74580D8B0 wzcECQS4eJUgIG/3mcaILEJFpmJ8AQQVnZ9l7KtagdClm9UaQ/Z6M/5roklSGpGu 623YmaXezGj80j4B+Ku1sgTdJo87X1Wrup7l0wJypZls21Uwd67m9koF60eefH/K 95D1usliXOEm8ayQJQmZrjf6K6v9PWwqMQ== -----END PGP MESSAGE----- Appendix B. Upgrade Guidance (Adapting Implementations from RFC 4880 and RFC 6637) This subsection offers a concise, non-normative summary of the substantial additions to and departures from [RFC4880] and [RFC6637]. It is intended to help implementers who are augmenting an existing implementation from those standards to this standard. Cryptographic algorithms marked with "MTI" are mandatory to implement. * Public Key signing algorithms: - Ed25519 (Section 5.5.5.9 and Section 5.2.3.4), MTI - Ed448 (Section 5.5.5.10 and Section 5.2.3.5) Wouters, et al. Expires 7 July 2024 [Page 193] Internet-Draft OpenPGP January 2024 - EdDSALegacy with Ed25519Legacy (Section 5.5.5.5 and Section 5.2.3.3) - ECDSA with Brainpool curves (Section 9.2) * Public Key encryption algorithms: - X25519 (Section 5.5.5.7 and Section 5.1.6), MTI - X448 (Section 5.5.5.8 and Section 5.1.7) - ECDH with Curve25519Legacy (Section 9.2) - ECDH with Brainpool curves (Section 9.2) * AEAD Encryption: - Version 2 SEIPD (Section 5.13.2) - AEAD modes: o OCB mode (Section 5.13.4), MTI o EAX mode (Section 5.13.3) o GCM mode (Section 5.13.5) - Version 6 PKESK (Section 5.1.2) - Version 6 SKESK (Section 5.3.2) - Features subpacket: add flag for SEIPDv2 (Section 5.2.3.32) - Subpacket: Preferred AEAD Ciphersuites (Section 5.2.3.15) - Secret key encryption: AEAD "S2K usage octet" (Section 3.7.2 and Section 5.5.3) * Version 6 Keys and Signatures: - Version 6 Public keys (Section 5.5.2.3) - Version 6 Fingerprint and Key ID (Section 5.5.4.3) - Version 6 Secret keys (Section 5.5.3) - Version 6 Signatures (Section 5.2.3) Wouters, et al. Expires 7 July 2024 [Page 194] Internet-Draft OpenPGP January 2024 - Version 6 One-Pass Signatures (Section 5.4) * Certificate (Transferable Public Key) Structure: - Preferences subpackets in Direct Key Signatures (Section 5.2.3.10) - Self-verifying revocation certificate (Section 10.1.2) - User ID is explicitly optional (Section 10.1.1) * S2K: Argon2 (Section 3.7.1.4) * Subpacket: Intended Recipient Fingerprint (Section 5.2.3.36) * Digest algorithms: SHA3-256 and SHA3-512 (Section 9.5) * Packet: Padding (Section 5.14) * Message structure: Packet Criticality (Section 4.3) * Deprecations: - Public Key Algorithms: o Avoid RSA weak keys (Section 12.4) o Avoid DSA (Section 12.5) o Avoid ElGamal (Section 12.6, Section 5.1.4) o For Version 6 Keys: Avoid EdDSA25519Legacy, Curve25519Legacy (Section 9.2) - Digest Algorithms: o Avoid MD5, SHA1, RIPEMD160 (Section 9.5) - Symmetric Key Algorithms: o Avoid IDEA, TripleDES, CAST5 (Section 9.3) - S2K Specifier: o Avoid Simple S2K (Section 3.7.1.1) - Secret Key protections (a.k.a. S2K Usage): Wouters, et al. Expires 7 July 2024 [Page 195] Internet-Draft OpenPGP January 2024 o Avoid MalleableCFB (Section 3.7.2.1) - Packet Types: o Avoid Symmetrically-Encrypted Data (Section 5.7, Section 13.7) - Literal Data packet metadata: o Avoid Filename and Date fields (Section 5.9) o Avoid Special _CONSOLE "filename" (Section 5.9.1) - Packet Versions: o Avoid Version 3 Public Keys (Section 5.5.2.1) o Avoid Version 3 Signatures (Section 5.2) - Signature Types: o Avoid Reserved Signature Type ID 0xFF (Section 5.2.1.16, Section 5.2.4.1) - Signature Subpackets: o For Version 6 Signatures: Avoid Issuer Key ID (Section 5.2.3.12) o Avoid Revocation Key (Section 5.2.3.23) - ASCII Armor: o Ignore, do not emit CRC (Section 6.1) o Do not emit "Version" armor header (Section 6.2.2.1) - Cleartext Signature Framework: o Ignore, avoid emitting unnecessary Hash: headers (Section 6.2.2.3) o Reject CSF signatures with invalid Hash: headers (Section 6.2.2.3) or any other Armor Header (Section 7.1) Wouters, et al. Expires 7 July 2024 [Page 196] Internet-Draft OpenPGP January 2024 B.1. Terminology Changes Note that some of the words used in previous revisions of the OpenPGP standard have been improved in this document. In previous revisions, the following terms were used: * "Radix-64" was used to refer to OpenPGP's ASCII Armor base64 encoding (Section 6). * "Old packet format" was used to refer to the Legacy packet format (Section 4.2.2) predating [RFC2440]. * "New packet format" was used to refer to the OpenPGP packet format (Section 4.2.1) introduced in [RFC2440]. * "Certificate" was used ambiguously to mean multiple things. In this document, it is used to mean "Transferable Public Key" exclusively. * "Preferred Symmetric Algorithms" was the old name for the "Preferred Symmetric Ciphers for v1 SEIPD" subpacket (Section 5.2.3.14) * "Modification Detection Code" or "MDC" was originally described as a distinct packet (packet type ID 19), and its corresponding flag in the Features subpacket (Section 5.2.3.32) was known as "Modification Detection". It is now described as an intrinsic part of v1 SEIPD (Section 5.13.1), and the same corresponding flag is known as "Symmetrically Encrypted Integrity Protected Data packet version 1". * "Packet Tag" was used to refer to the Packet Type ID (Section 5), or sometimes to the encoded Packet Type ID (Section 4.2). Appendix C. Acknowledgements Thanks to the openpgp design team for working on this document to prepare it for working group consumption: Stephen Farrell, Daniel Kahn Gillmor, Daniel Huigens, Jeffrey Lau, Yutaka Niibe, Justus Winter and Paul Wouters. Thanks to Werner Koch for the early work on rfc4880bis and Andrey Jivsov for [RFC6637]. Wouters, et al. Expires 7 July 2024 [Page 197] Internet-Draft OpenPGP January 2024 This document also draws on much previous work from a number of other authors, including: Derek Atkins, Charles Breed, Dave Del Torto, Marc Dyksterhouse, Gail Haspert, Gene Hoffman, Paul Hoffman, Ben Laurie, Raph Levien, Colin Plumb, Will Price, David Shaw, William Stallings, Mark Weaver, and Philip R. Zimmermann. Appendix D. Errata addressed by this document The following verified errata have been incorporated or are otherwise resolved by this document: * [Errata-2199] - S2K hash/cipher octet correction * [Errata-2200] - No implicit use of IDEA correction * [Errata-2206] - PKESK acronym expansion * [Errata-2208] - Signature key owner clarification * [Errata-2214] - Signature hashing clarification * [Errata-2216] - Self signature applies to user ID correction * [Errata-2219] - Session key encryption storage clarification * [Errata-2222] - Simple hash MUST/MAY clarification * [Errata-2226] - Native line endings SHOULD clarification * [Errata-2234] - Radix-64 / base64 clarification * [Errata-2235] - ASCII / UTF-8 collation sequence clarification * [Errata-2236] - Packet Composition is a sequence clarification * [Errata-2238] - Subkey packets come after all User ID packets clarification * [Errata-2240] - Subkey removal clarification * [Errata-2242] - mL / emLen variable correction * [Errata-2243] - CFB mode initialization vector (IV) clarification * [Errata-2270] - SHA-224 octet sequence correction * [Errata-2271] - Radix-64 correction Wouters, et al. Expires 7 July 2024 [Page 198] Internet-Draft OpenPGP January 2024 * [Errata-3298] - Key revocation signatures correction * [Errata-5491] - C code fix for CRC24_POLY define * [Errata-7545] - Armor Header colon hex fix Authors' Addresses Paul Wouters (editor) Aiven Email: paul.wouters@aiven.io Daniel Huigens Proton AG Email: d.huigens@protonmail.com Justus Winter Sequoia-PGP Email: justus@sequoia-pgp.org Yutaka Niibe FSIJ Email: gniibe@fsij.org Wouters, et al. Expires 7 July 2024 [Page 199]