Re: [lamps] More mail madness?
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 14 May 2018 17:04 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BB1712E892; Mon, 14 May 2018 10:04:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s23du-3lI66B; Mon, 14 May 2018 10:03:57 -0700 (PDT)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 525221201F8; Mon, 14 May 2018 10:03:57 -0700 (PDT)
Received: by mail-oi0-x230.google.com with SMTP id 11-v6so11339253ois.8; Mon, 14 May 2018 10:03:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=MMqTky4iy6USAaWGfsR34yk/PlHfoXq/Vtj1OdaPX4c=; b=ec+YvR36KNKrf/oe4q+yd5CC6tBOHaSGhIcrP2NSC+R2TODJ5x15DUm2CNP9qErrsj 6p+a+r4eTnnZ2eyF2hwHLCmdOeyvjlrdMEkE6I2FW7MRRcHkMO9eHZC0fjb9paU6FBmD OLE/yl8OoCv+WX2BHphPzkHFZibQio7ubDTc0+bu+r85WEH3RW/GxbNDv7NLoEfal0Df weoMwkFOEJinvNWYIrqsXO/LKIT071/3CTFqQZBhJvPFlSVWfF2F56Iu5LsBCASGSJVo n+hFX6+jaCDgTBteVrshme3ZvzbTsNMfOn64cZh+gcz8Fvz3v0WGbcxCO5Jtf5QV3+Po GruQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=MMqTky4iy6USAaWGfsR34yk/PlHfoXq/Vtj1OdaPX4c=; b=HRLprS3b/10YjQZOmy1VN6LhlGKTaMdd/6ANdiWGU7+socUELrgv2+Ux1xI7JvvD1W EsNuF2ldgURB37wBt+0Ra8XQlaMDTsHs37LXqsufcL9wKq8ygRjA86s+dUda7+5jijNu SBdxmj/khyUGG5Q89F1irdW22G23iBKnDAeaVgStrEl+CXrP4cYqHII1Jq/GLaxh/jGl 60SfoZn6VorJOCBqlbnV9zgB2otyT7hxU44RZT72jTVV1RP4k5W+tSibx5OvKGJ3VAQh MWGWiesgMi4pm0LMSEQZja6lrNtm6BE4rJoaQsQexDsCFS8nyJIyPHpkJeH/tNaJ1fcO oxog==
X-Gm-Message-State: ALKqPwfCyJ8Hqy5uAm+kHMDUunQdbmgjhJ6LmD5eQhYlJx8rA6Asbor3 AUP5DyAiKfUepPOKNGHTqBR5BiNNxVM7hx0XZyw=
X-Google-Smtp-Source: AB8JxZouqUW5e/LM56EUvsyzMRoIkbe8CQA4eXnopDQQcJmeEA6L7gZZ4O1iJ177fjbwlyJx+168Cadt0+yz8LhQFJc=
X-Received: by 2002:aca:6257:: with SMTP id w84-v6mr7580830oib.26.1526317436589; Mon, 14 May 2018 10:03:56 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 2002:a9d:23:0:0:0:0:0 with HTTP; Mon, 14 May 2018 10:03:56 -0700 (PDT)
In-Reply-To: <CAL02cgQGew0=5s-ipyJSD=kp8+uK5juYFYUdepWeDFjf6raqsw@mail.gmail.com>
References: <CAMm+LwiOfdptL6u=SyCtQnz7xKrJD6HTDkKs+JGeHf54CSiv8A@mail.gmail.com> <B0CE44DF-DC7C-4411-B1CC-30B87E38D3F6@vigilsec.com> <51B631EC-78B3-4FF4-A82C-725A029F3DB3@nohats.ca> <C8E07D79-DFC5-4DA5-981B-26AA91A04D09@vigilsec.com> <CAL02cgQGew0=5s-ipyJSD=kp8+uK5juYFYUdepWeDFjf6raqsw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 14 May 2018 13:03:56 -0400
X-Google-Sender-Auth: p_rLkffhtR7ogknL9uSEiJWLbb0
Message-ID: <CAMm+LwhSGPHvt0E5JRU-S273Ve8wohjHJ7-giMLytNq3F_BWFQ@mail.gmail.com>
Subject: Re: [lamps] More mail madness?
To: Richard Barnes <rlb@ipv.sx>
Cc: Russ Housley <housley@vigilsec.com>, Paul Wouters <paul@nohats.ca>, SPASM <spasm@ietf.org>, IETF <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009f5de8056c2d7882"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/6O2L4RCB9ThT7sjN-h22hhZ5KsM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2018 17:04:00 -0000
Here is the approach I use for encryption which guards against the IV attack. It might seem a little over the top but the objective here is to minimize the number of code paths rather than the length of the code path. The reason I started on this approach was I was looking for a secure way to encrypt chat room logs etc. without having to do a key exchange per message. In the process, I realized that the same approach works remarkably well in S/MIME like applications where we may have multiple multiparts that we want to encrypt under one key exchange, we may want to encrypt subject lines and we may want to encrypt signatures over the plaintext. 1) Generate fresh session key of at least 256 bits which has the property of being infeasible to guess (note that unguessability is a stronger requirement than merely being random). 2) Perform a key exchange for each recipient. 2a) If it is a DH or EDH key exchange, use the key exchange result as the IKM for a KeyDerivation function with info tag "master". Then use the resulting key to perform an AES Key Wrap of the session key. 3) Create the Enhanced Data Sequences. For each EDC we create a salt value which needs to be unique within the context of this particular exchange. We then use HKDF to derive the encryption (+MAC if needed) and IV. This approach ensures that the IV is chosen in a rigid fashion and thus eliminates a possible area of manipulation as any change to the salt will prevent decryption and authentication of the message as well. On Mon, May 14, 2018 at 12:39 PM, Richard Barnes <rlb@ipv.sx> wrote: > Russ: Is there some more work to be done here to address the CBC/CFB > issues? Even if the encapsulation has AEAD support, maybe there's some > negotiation thingy? > > On Mon, May 14, 2018, 12:37 Russ Housley <housley@vigilsec.com> wrote: > >> >> On May 14, 2018, at 12:35 PM, Paul Wouters <paul@nohats.ca> wrote: >> >> On May 14, 2018, at 12:29, Russ Housley <housley@vigilsec.com> wrote: >> >> We are working on text for S/MIME that says that each portion of a MIME >> multi-part needs to be handled in its own sandbox. The direct exfiltration >> that is described happens because the mail user agent glues the various >> portions together for display to the user, which in the example on the web >> page causes an image to be fetched from the attacker's website with the >> message plaintext as part of the URL. >> >> >> So that’s the bandaid. What and where will work be done on a solution? >> >> >> LAMPS just sent an update to the S/MIME message document to the IESG. My >> guess is that there will be discussion on the spasm@ietf.org mail list. >> >> Russ >> >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm >> >
- More mail madness? Phillip Hallam-Baker
- Re: More mail madness? Russ Housley
- Re: More mail madness? Paul Wouters
- Re: More mail madness? Russ Housley
- Re: [lamps] More mail madness? Richard Barnes
- Re: More mail madness? Viktor Dukhovni
- Re: [lamps] More mail madness? Phillip Hallam-Baker
- Re: More mail madness? Sam Hartman
- Re: More mail madness? Russ Housley