Re: [openpgp] Reducing the meta-data leak

Derek Atkins <derek@ihtfp.com> Tue, 03 November 2015 14:30 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B77B1A1A03 for <openpgp@ietfa.amsl.com>; Tue, 3 Nov 2015 06:30:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37r4d-PHEZV7 for <openpgp@ietfa.amsl.com>; Tue, 3 Nov 2015 06:30:56 -0800 (PST)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 469EB1A1A00 for <openpgp@ietf.org>; Tue, 3 Nov 2015 06:30:56 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id D2C77E203F; Tue, 3 Nov 2015 09:30:54 -0500 (EST)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 27490-09; Tue, 3 Nov 2015 09:30:50 -0500 (EST)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 7A65EE203A; Tue, 3 Nov 2015 09:30:49 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1446561049; bh=+20dMlIBEnARfR4MNXDxJAv/xdGcB9FmYQvsRS1YVnc=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=kfUIuVI5vovpfUIw6LVUJSrfTS5wEger4CEVpE+h77YRgm42qAWpUKF2ebFHkYKkq H8XGl09anUyKrl4FDyj30Yc6LkDRQIso2ctoxhTtdE1ZZ8XvPkxvx9wPM4DOHVjE5L rxmbyKbPlGbfXLlzPh4i+90TSF0Qqoq908dZrBz0=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id tA3EUmXu017369; Tue, 3 Nov 2015 09:30:48 -0500
From: Derek Atkins <derek@ihtfp.com>
To: "Neal H. Walfield" <neal@walfield.org>
References: <87io5j764u.wl-neal@walfield.org>
Date: Tue, 03 Nov 2015 09:30:48 -0500
In-Reply-To: <87io5j764u.wl-neal@walfield.org> (Neal H. Walfield's message of "Tue, 03 Nov 2015 11:02:25 +0100")
Message-ID: <sjm7flz9muf.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/1iNw6Gg5VH9UHF-Vnjesw531cd4>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] Reducing the meta-data leak
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2015 14:30:57 -0000

"Neal H. Walfield" <neal@walfield.org> writes:

> Hi,
>
> At the IETF 94 OpenPGP WG session, Bryan, if I recall correctly,
> suggested that we should try and hide more meta-data.  For instance,
> instead of listing the recipients, someone decrypting a message would
> try each of their available secret keys in turn.  Werner pointed out
> that these probes are a pain for people who use a passphrase protected
> key and I mentioned that it is a pain for people who use a smartcard,
> in paritcular, those who use more than one smartcard.
>
> What about using a bloom filter for encoding the recipients?  This, of
> course, doesn't eliminate the meta-data leak and it can lead to false
> positives (= gratuitious passphrase prompts / smartcard prompts), but
> it should reduce the metadata leak a fair amount, I think.  Thoughts?

There was an extension at one point where you use the string 0x00...00
for the keyID and that forced you to test all your secret keys.  There
are certainly times where that is warranted; there are other times where
it is not.

I wasn't at the meeting (in person or virtually) so I'm not sure I
completely understand what the use-case is where the above solution
doesn't work?

> Thanks,
>
> :) Neal

-derek
-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant