Provide key separation for AEAD-encrypted data (!101) · Merge requests · openpgp-wg / rfc4880bis

Daniel Huigens requested to merge twisstle/rfc4880bis:aead-key-separation into main Dec 07, 2021

To provide key separation, bind the session key to a specific AEAD algorithm, by including the symmetric-key algorithm and AEAD algorithm identifiers used in the AEAD encrypted data packet (and its packet tag and version) together with the session key in the V5 Symmetric-Key Encrypted Session Key Packet, and the (new) V5 Public-Key Encrypted Session Key Packet. Remove the symmetric-key algorithm and AEAD algorithm identifier from the AEAD Encrypted Data Packet.

Also, for the V5 SKESK, pass the "outer" symmetric algorithm and AEAD mode (and packet tag and version, for consistency with the AD for AEAD) to the S2K function, to properly separate the keys, since we don't have a reliable way to know whether the passphrase-derived key was meant to be used with CFB or AEAD.

For Argon2, we pass this along to the associated data parameter X of Argon2. For the other S2K mechanisms, we prepend the associated data to the passphrase.

Fixes #61 (closed).

Edited Jan 03, 2022 by Daniel Huigens

Provide key separation for AEAD-encrypted data

Merge request reports