Network Working Group D. Huigens, Ed. Internet-Draft Proton AG Updates: 4880 (if approved) 10 July 2023 Intended status: Standards Track Expires: 11 January 2024 Persistent Symmetric Keys in OpenPGP draft-huigens-openpgp-persistent-symmetric-keys-01 Abstract This document defines new algorithms for the OpenPGP standard (RFC4880) to support persistent symmetric keys, for message encryption using authenticated encryption with additional data (AEAD) and for authentication with hash-based message authentication codes (HMAC). This enables the use of symmetric cryptography for data storage (and other contexts that do not require asymmetric cryptography), for improved performance, smaller keys, and improved resistance to quantum computing. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://twisstle.gitlab.io/openpgp-persistent-symmetric-keys/. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-huigens-openpgp-persistent- symmetric-keys/. Discussion of this document takes place on the OpenPGP Working Group mailing list (mailto:openpgp@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/openpgp/. Subscribe at https://www.ietf.org/mailman/listinfo/openpgp/. Source for this draft and an issue tracker can be found at https://gitlab.com/twisstle/openpgp-persistent-symmetric-keys. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Huigens Expires 11 January 2024 [Page 1] Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 11 January 2024. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Persistent Symmetric Key Algorithms . . . . . . . . . . . . . 4 4.1. Algorithm-Specific Fields for AEAD keys . . . . . . . . . 5 4.2. Algorithm-Specific Fields for HMAC keys . . . . . . . . . 6 4.3. Algorithm-Specific Fields for AEAD encryption . . . . . . 6 4.4. Algorithm-Specific Fields for HMAC signatures . . . . . . 6 5. Other Changes . . . . . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7.1. Updates to Public Key Algorithms . . . . . . . . . . . . 7 7.2. Updates to Packet Type Descriptions . . . . . . . . . . . 7 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 Huigens Expires 11 January 2024 [Page 2] Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023 1. Introduction The OpenPGP standard [RFC4880] has supported symmetric encryption for data packets using session keys since its inception, as well as symmetric encryption using password-derived keys. This document extends the use of symmetric cryptography by adding support for persistent symmetric keys which can be stored in a transferable private key, and used to symmetrically encrypt session keys, for long-term storage and archival of messages. This document uses authenticated encryption with associated data (AEAD) as proposed by the OpenPGP crypto refresh [crypto-refresh]. The OpenPGP standard also supports the use of digital signatures for authentication and integrity but no similar symmetric mechanism exists in the standard. This document introduces hash-based message authentication codes (HMAC) as a symmetric counterpart to digital signatures, for long-term storage and archival of attestations of authenticity and certification. Rather than introducing new packets for storing persistent symmetric keys, the existing Secret-Key packets are reused for this purpose. To indicate the type of keys, two algorithms (AEAD and HMAC) are registered, whose IDs can be used in the place of public-key algorithm IDs. To accommodate these additions, we propose renaming the Public Key Algorithms registry to Persistent Key Algorithms. Similarly, we reuse the Signature packet for "symmetric signatures". For session keys encrypted with persistent symmetric keys, while a "Symmetric-Key Encrypted Session Key packet" exists, its semantics don't match our goals, as it's intended to encrypt the session key with a user-provided password, and doesn't offer a way to store a reference to a persistent key. Therefore, we reuse the "Public-Key Encrypted Session Key packet" instead, which does offer the desired semantics. Nevertheless, given this usage, the naming of these packets may be confusing, so we propose to rename them to "Password Encrypted Session Key packet" and "Key Encrypted Session Key packet", instead. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Any implementation that adheres to the format and methods specified in this document is called a compliant application. Compliant applications are a subset of the broader set of OpenPGP applications described in [RFC4880] and the OpenPGP crypto refresh [crypto-refresh]. Any [RFC2119] keyword within this document applies Huigens Expires 11 January 2024 [Page 3] Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023 to compliant applications only. 3. Motivation When compared to asymmetric cryptography, symmetric cryptography can provide improved performance and equivalent security with smaller keys. In contexts that do not require asymmetric cryptography, such as secure data storage where the same user encrypts and decrypts data, symmetric cryptography can be used to take advantage of these benefits. Additionally, asymmetric algorithms included in OpenPGP are vulnerable to attacks that might become possible on quantum computers [Shor]. Symmetric cryptography is also affected by quantum computing but to a lesser extent, which can be countered by using larger keys [Grover]. While the standardization of quantum-secure asymmetric cryptography in OpenPGP is ongoing [PQCinOpenPGP], and will be required to secure communications, there is a large body of existing messages encrypted with classical algorithms. Once persistent symmetric keys are available, these messages can be protected against future compromises efficiently by symmetrically re-encrypting the session key, and storing the message symmetrically encrypted for long-term storage and archival. 4. Persistent Symmetric Key Algorithms This document defines two new algorithms for use with OpenPGP, extending the table in section 9.1 of [crypto-refresh]. Huigens Expires 11 January 2024 [Page 4] Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023 +==+===========+===========+==========+================+============+ |ID| Algorithm | Public | Secret | Signature | PKESK | | | | Key | Key | Format | Format | | | | Format | Format | | | +==+===========+===========+==========+================+============+ |64| AEAD | sym. | hash | N/A | AEAD algo, | | | | algo, | seed, | | IV, | | | | seed | key | | length, | | | | hash | material | | ciphertext | | | | [Section | | | [Section | | | | 4.1] | | | 4.3] | +--+-----------+-----------+----------+----------------+------------+ |65| HMAC | hash | hash | authentication | N/A | | | [RFC2104] | algo, | seed, | tag | | | | | seed | key | [Section 4.4] | | | | | hash | material | | | | | | [Section | | | | | | | 4.2] | | | | +--+-----------+-----------+----------+----------------+------------+ Table 1: Persistent Symmetric Key Algorithm registrations These algorithm IDs can be used to store symmetric key material in Secret-Key Packets and Secret-Subkey packets (see section 5.5.3 of [crypto-refresh]). The AEAD algorithm ID can be used to store session keys encrypted using AEAD in PKESK packets (see section 5.1 of [crypto-refresh]). The HMAC algorithm ID can be used to store HMAC-based signatures in Signature packets (see section 5.2 of [crypto-refresh]). As the secret key material is required for all cryptographic operations with symmetric keys, implementations SHOULD NOT use these algorithm IDs in Public-Key Packets or Public-Subkey Packets, and SHOULD NOT export Public-Key Packets from Secret-Key Packets holding symmetric key material. 4.1. Algorithm-Specific Fields for AEAD keys The public key is this series of values: * A one-octet symmetric algorithm identifier (see section 9.3 of [crypto-refresh]) * A 32-octet SHA-256 hash of the seed in the private key material The private key is this series of values: * A 32-octet seed value to be hashed for the public key material Huigens Expires 11 January 2024 [Page 5] Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023 * Symmetric key material of appropriate length for the chosen symmetric algorithm 4.2. Algorithm-Specific Fields for HMAC keys The public key is this series of values: * A one-octet hash algorithm identifier (see section 9.5 of [crypto-refresh]) * A 32-octet SHA-256 hash of the seed in the private key material The private key is this series of values: * A 32-octet seed value to be hashed for the public key material * Symmetric key material of the length of the hash output size of the chosen hash algorithm 4.3. Algorithm-Specific Fields for AEAD encryption * A one-octet AEAD algorithm (see section 9.6 of [crypto-refresh]) * A starting initialization vector of size specified by AEAD mode * A one-octet length of the following field * A symmetric key encryption of the plaintext value described in section 5.1 of [crypto-refresh], performed using the selected symmetric-key cipher operating in the given AEAD mode, including the authentication tag. 4.4. Algorithm-Specific Fields for HMAC signatures * An authentication tag of appropriate length for the hash algorithm Although not required by HMAC, to maintain compatibility with existing signature implementations, HMAC tags are produced from appropriately hashed data, as per section 5.2.4 of [crypto-refresh]. 5. Other Changes To reflect the usage of symmetric algorithms, we propose to rename Public-Key Encrypted Session Key Packet (Tag 1) to Persistent Key Encrypted Session Key Packet, and rename Symmetric-Key Encrypted Session Key Packet (Tag 3) to String-to-Key Encrypted Session Key Packet. These names reflect the semantics and intended use of the packets, as opposed to the cryptographic algorithms used. Huigens Expires 11 January 2024 [Page 6] Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023 Additionally, we propose to rename the Public Key Algorithms registry to Persistent Key Algorithms. 6. Security Considerations Security considerations are discussed throughout the document where appropriate. 7. IANA Considerations 7.1. Updates to Public Key Algorithms IANA is requested to rename the "Public Key Algorithms" registry to "Persistent Key Algorithms", and add the entries in Table 1 to the registry. 7.2. Updates to Packet Type Descriptions IANA is requested to modify the "PGP Packet Types/Tags" registry as follows: * For Packet Tag 1 ("Public-Key Encrypted Session Key Packet"), change the Packet Type to "Persistent Key Encrypted Session Key Packet". * For Packet Tag 3 ("Symmetric-Key Encrypted Session Key Packet"), change the Packet Type to "String-to-Key Password Encrypted Session Key Packet". 8. Acknowledgements An initial version of this draft was written by Dan Ristea (Proton AG), with guidance from Dr Philipp Jovanovic (University College London). 9. References 9.1. Normative References [crypto-refresh] Wouters, P., Huigens, D., Winter, J., and N. Yutaka, "OpenPGP", June 2023, . Huigens Expires 11 January 2024 [Page 7] Internet-Draft Persistent Symmetric Keys in OpenPGP July 2023 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007, . 9.2. Informative References [Grover] Grover, L., "Quantum mechanics helps in searching for a needle in a haystack", 1997, . [PQCinOpenPGP] Kousidis, S., Strenzke, F., and A. Wussler, "Post-Quantum Cryptography in OpenPGP", March 2023, . [Shor] Shor, P., "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer", October 1997, . Author's Address Daniel Huigens (editor) Proton AG Route de la Galaise 32 CH-1228 Plan-les-Ouates Switzerland Email: d.huigens@protonmail.com Huigens Expires 11 January 2024 [Page 8]