bug#57576: Missing support for NIPT-P384 gpg algorithm in Guix channel authentication.

bug#57576: Missing support for NIPT-P384 gpg algorithm in Guix channel authentication.

[Zhu Zihao]

[-- Attachment #1: Type: text/plain, Size: 2874 bytes --]

I'm working with my private channel, And I update my gpg key using
NIPT-P384 algorithm. But `guix time-machine` complains that:

Updating channel 'cireguix' from Git repository at '/home/citreu/gitrepos/cireguix'...
Authenticating channel 'cireguix', commits 9b37ac0 to 6601a6a (1 new commits)...
[###########################################################################################################################################################################################################################################]Backtrace:
In guix/store.scm:
   659:37 19 (thunk)
In guix/status.scm:
    815:4 18 (call-with-status-report _ _)
In guix/store.scm:
   1298:8 17 (call-with-build-handler #<procedure 7f6086416630 at g…> …)
In guix/inferior.scm:
   904:34 16 (cached-channel-instance #<store-connection 256.99 7f6…> …)
In guix/channels.scm:
    523:7 15 (loop _ _)
In guix/combinators.scm:
    48:26 14 (fold2 #<procedure 7f60883758a0 at guix/channels.scm:5…> …)
In guix/channels.scm:
   533:29 13 (_ #<<channel> name: cireguix url: "/home/citreu/gitre…> …)
   421:12 12 (latest-channel-instance #<store-connection 256.99 7f6…> …)
In guix/git.scm:
    290:7 11 (call-with-repository _ #<procedure 7f60883757e0 at gui…>)
In guix/git-authenticate.scm:
   442:22 10 (authenticate-repository #<git-repository 861da0> _ _ # …)
In guix/progress.scm:
    71:36  9 (call-with-progress-reporter _ _)
In srfi/srfi-1.scm:
   460:18  8 (fold #<procedure 7f608943bfc0 at guix/git-authenticat…> …)
In guix/git-authenticate.scm:
   290:24  7 (_ #<git-commit 6601a6ab9073cfe260e1563131990c786519a2…> …)
    226:4  6 (authenticate-commit #<git-repository 861da0> #<git-co…> …)
   129:23  5 (commit-signing-key _ #<oid 6601a6ab9073cfe260e1563131…> …)
In guix/openpgp.scm:
   562:26  4 (verify-openpgp-signature _ _ _)
In gcrypt/pk-crypto.scm:
    250:8  3 (key-type (unsupported-algorithm 19 #vu8(5 43 129 4 …)))
   202:27  2 (_ (unsupported-algorithm 19 #vu8(5 43 129 4 0 34 3 …)) 0)
In ice-9/boot-9.scm:
  1685:16  1 (raise-exception _ #:continuable? _)
  1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure struct-vtable: Wrong type argument in position 1 (expecting struct): (unsupported-algorithm 19 #vu8(5 43 129 4 0 34 3 3 4 53 239 158 105 250 133 46 247 192 56 245 48 43 60 70 47 46 85 221 226 213 94 248 254 218 85 176 252 233 119 26 85 65 191 47 159 193 86 129 155 186 183 151 233 81 178 42 30 81 234 192 184 140 230 226 26 72 186 82 18 213 187 6 28 34 39 197 75 37 138 226 98 216 187 185 223 222 126 181 122 255 104 171 201 51 254 7 235 245 151 247 168 215 165 73 181))

Does Guix support NIPT-P384 key?
-- 
Retrieve my PGP public key:

  gpg --recv-keys 481F5EEEBA425ADC13247C76A6E672D981B8E744

Zihao

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 300 bytes --]

bug#57576: Missing support for NIPT-P384 gpg algorithm in Guix channel authentication.

[Ludovic Courtès]

Hi,

Zhu Zihao <all_but_last@163.com> skribis:

> I'm working with my private channel, And I update my gpg key using
> NIPT-P384 algorithm. But `guix time-machine` complains that:

[...]

>     226:4  6 (authenticate-commit #<git-repository 861da0> #<git-co…> …)
>    129:23  5 (commit-signing-key _ #<oid 6601a6ab9073cfe260e1563131…> …)
> In guix/openpgp.scm:
>    562:26  4 (verify-openpgp-signature _ _ _)
> In gcrypt/pk-crypto.scm:
>     250:8  3 (key-type (unsupported-algorithm 19 #vu8(5 43 129 4 …)))
>    202:27  2 (_ (unsupported-algorithm 19 #vu8(5 43 129 4 0 34 3 …)) 0)
> In ice-9/boot-9.scm:
>   1685:16  1 (raise-exception _ #:continuable? _)
>   1685:16  0 (raise-exception _ #:continuable? _)
>
> ice-9/boot-9.scm:1685:16: In procedure raise-exception:
> In procedure struct-vtable: Wrong type argument in position 1 (expecting struct): (unsupported-algorithm 19 #vu8(5 43 129 4 0 34 3 3 4 53 239 158 105 250 133 46 247 192 56 245 48 43 60 70 47 46 85 221 226 213 94 248 254 218 85 176 252 233 119 26 85 65 191 47 159 193 86 129 155 186 183 151 233 81 178 42 30 81 234 192 184 140 230 226 26 72 186 82 18 213 187 6 28 34 39 197 75 37 138 226 98 216 187 185 223 222 126 181 122 255 104 171 201 51 254 7 235 245 151 247 168 215 165 73 181))
>
> Does Guix support NIPT-P384 key?

Nope!  (That’s NIST-P384.)

To add it, we need to adjust (guix openpgp) to support it (and ECDSA,
the “19” we see above).  I’ll follow up with a patch.

Ludo’.

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

[Zhu Zihao]

My opinion: Maybe NSA recommend NIST family because they know how to get
around it. But they also have to believe foreign government can't break
it easily.

-- 
Retrieve my PGP public key:

  gpg --recv-keys 481F5EEEBA425ADC13247C76A6E672D981B8E744

Zihao

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

[Maxime Devos]

[-- Attachment #1.1.1: Type: text/plain, Size: 2720 bytes --]


On 06-09-2022 13:58, Ludovic Courtès wrote:
> Hi,
>
> ECDSA and the NIST curves (and in fact a large part of NIST’s crypto
> standardization work¹) are actually considered with skepticism by some:
>
>    https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Concerns
>
> That makes me wonder whether supporting them is a good idea, after all.
> Evidently they’re not widely used in OpenPGP and not supporting them
> hasn’t been much of a problem, it seems.  On one hand, we don’t want
> Guix’s OpenPGP implementation to limit what users do with their OpenPGP
> keys; on the other hand, we don’t want to encourage algorithms that
> bring little to the table at best and are suspicious at worst.
>
> What do people think?

We disallow signing with SHA-1, because it is known to be vulnerable and 
as there are alternatives that are considered good, even if this limits 
what users can do with their OpenPGP keys.

In case of those curves, I'm not aware of any 'crytopgraphic proof' (*) 
that the curves are vulnerable (unlike for SHA-1), but as noted in ¹ and 
elsewhere, there are other kinds of evidence that something is wrong.

Except for the different nature of the evidence of vulnerability, it 
seems about the same situation to me. As such, I don't think we should 
support them (some nice error messages like 'This algorithm [...] is not 
supported yet’ or ‘This algorithm [...] is (likely/known to be) 
vulnerable’ would be good though!).

(*) I mean proof, like in mathematical proofs, not merely evidence.

An alternative option would be to allow the channel .guix-authorization 
(of the previous commits, not the commit that is about to be verified!) 
to decide what's considered a 'good algorithm' (with some defaults) 
(with a field). Maybe we'll have to deprecate, say, RSA or SHA-3 
eventually, it would be nice to have a migration method in place as 
early as possible, to minimise the risk of some people doing a "guix 
pull" from a Guix that does not support that field to a Guix or other 
channel that _does_ use that field.

Zhu Zihao wrote:

> My opinion: Maybe NSA recommend NIST family because they know how to get
> around it.
If so, I believe this is an argument against allowing these curves, to 
avoid a method NSA could use for attacks.
> But they also have to believe foreign government can't break
> it easily.
For people outside the US, the US (of which the NSA is an agency) _is_ a 
foreign government. As Guix is not an US-specific project, I do not 
think this is an argument for allowing the curves.

Greetings,
Maxime.
> Ludo’.
>
> ¹ https://blog.cr.yp.to/20220805-nsa.html
>
>

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

[Ludovic Courtès]

Hi,

(Cc’ing Andreas for extra advice.)

Maxime Devos <maximedevos@telenet.be> skribis:

> We disallow signing with SHA-1, because it is known to be vulnerable
> and as there are alternatives that are considered good, even if this
> limits what users can do with their OpenPGP keys.

Right, we know it’s affordable to break SHA-1 these days.

> In case of those curves, I'm not aware of any 'crytopgraphic proof'
> (*) that the curves are vulnerable (unlike for SHA-1), but as noted in
> ¹ and elsewhere, there are other kinds of evidence that something is
> wrong.

It’s different from SHA-1 though: ECDSA is not known to be vulnerable,
and AIUI we can’t tell that there’s a possibility NIST/NSA has a
backdoor as is the case for DualEC.  However, the whole NIST design
process is tainted.  So my understanding is that it’s really a gray
area.

> Except for the different nature of the evidence of vulnerability, it
> seems about the same situation to me. As such, I don't think we should
> support them (some nice error messages like 'This algorithm [...] is
> not supported yet’ or ‘This algorithm [...] is (likely/known to be)
> vulnerable’ would be good though!).

Yes, that we can improve.  :-)

> An alternative option would be to allow the channel
> .guix-authorization (of the previous commits, not the commit that is
> about to be verified!) to decide what's considered a 'good algorithm'
> (with some defaults) (with a field). Maybe we'll have to deprecate,
> say, RSA or SHA-3 eventually, it would be nice to have a migration
> method in place as early as possible, to minimise the risk of some
> people doing a "guix pull" from a Guix that does not support that
> field to a Guix or other channel that _does_ use that field.

It’s tempting, but I’d rather avoid introducing such mechanisms to keep
things as simple as possible.

Thanks,
Ludo’.

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

[Andreas Enge]

Hello,

Am Tue, Sep 06, 2022 at 10:02:55PM +0200 schrieb Ludovic Courtès:
> (Cc’ing Andreas for extra advice.)

well, I agree with your analysis. There is no concrete evidence that the
NIST curves may be flawed, and a general belief that not all crypto
standards of NIST are flawed or backdoored... So it makes sense to accept
the curves, but ultimately this is a political decision (and a personal
decision about which type of key a user creates).

Andreas

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

[Andreas Enge]

Am Wed, Sep 07, 2022 at 01:13:25PM +0200 schrieb Maxime Devos:
> Also, we _do_ have concrete evidence that the curves are flawed -- the website
> on the link mentions many issues in the process

The website (you mean the blog by D. Bernstein?) also mentions the use of
a hash function to arrive at the parameters. Maybe I overlooked something,
but I did not find other mentions of the curves (but I did not read the
page from A to Z).

> past that the NSA is in the habit of subverting communications.

But this is not concrete evidence that these curves are flawed.
As far as is publicly known, there are a few weak (and sparse) classes
of insecure elliptic curves, and the NIST curves do not belong to them.

So the only way these curves could be flawed is that there is an unknown
class of insecure curves, where the insecurity is known by the NSA.
Then if this class is sufficiently dense, one could start with a random
seed, hash the seed, and repeat until one obtains a weak instance;
see this link by a well-known cryptologist
   https://miracl.com/blog/backdoors-in-nist-elliptic-curves/
and the link given there (to another post by Bernstein).

This is possible, but speculation instead of evidence.

Newer constructions are better, but not perfect; optimally one would want
a process of "generation of public random numbers" as described here:
   https://eprint.iacr.org/2015/366

> Channels are for sharing things between multiple people.  The keys are for
> authenticating channels.  As multiple people are involved for a channel, this
> seems be be a non-personal decision by definition.

I said "political", which fits well the setting of multiple people involved.
And I meant this in opposition to "scientific", given the lack of evidence
against the NIST curves.

Andreas

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

[Ludovic Courtès]

Hi,

Thanks a lot for the explanations, Andreas!

As you write, the decision will be “political” as there’s no scientific
evidence to guide us.

I’d like to see what other free software OpenPGP implementors decided
(primarily Sequoia; GnuPG/Libgcrypt implement them).

Ludo’.

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

[zimoun]

Hi,

On Wed, 07 Sep 2022 at 14:51, Ludovic Courtès <ludo@gnu.org> wrote:

> I’d like to see what other free software OpenPGP implementors decided
> (primarily Sequoia; GnuPG/Libgcrypt implement them).

Maybe related <https://sequoia-pgp.org/status/>.


Cheers,
simon

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

[Ludovic Courtès]

Hi!

All things considered, I prefer to drop this patch.  In the unlikely
event that we’ll get more requests to support these curves, we can
always revisit the issue.

What we should do, though, is improve error reporting in case an
unsupported curve or algorithm is encountered.

Thanks,
Ludo’.