IETF Logo Mail Archive

Re: [openpgp] OpenPGP encryption block modes (Was: The Argon2 proposal seems incomplete (Draft 6))

Bruce Walzer <bwalzer@59.ca> Fri, 19 August 2022 20:44 UTC

Return-Path: <bwalzer@59.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8706C14CF08; Fri, 19 Aug 2022 13:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yh0xCNwrglyr; Fri, 19 Aug 2022 13:44:13 -0700 (PDT)
Received: from mail.59.ca (mail.59.ca [205.200.229.83]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5418C14CE23; Fri, 19 Aug 2022 13:44:13 -0700 (PDT)
Received: from [104.246.140.18] (helo=watt.59.ca) by mail.59.ca with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bwalzer@59.ca>) id 1oP8qf-0002q1-Qj; Fri, 19 Aug 2022 15:44:10 -0500
Date: Fri, 19 Aug 2022 15:44:07 -0500
From: Bruce Walzer <bwalzer@59.ca>
To: Marcus Brinkmann <marcus.brinkmann=40rub.de@dmarc.ietf.org>
Cc: openpgp@ietf.org
Message-ID: <Yv/2F7+muV0/JPo4@watt.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87edy7keb6.fsf@thinkbox> <YuFc+w02FiRQmHcg@watt.59.ca> <87bktajjvq.fsf@thinkbox> <YuKpxp0/Dy1DfC19@watt.59.ca> <875yjhjg2c.fsf@thinkbox> <87r124m64c.fsf@wheatstone.g10code.de> <YulX9jI1+wOCwLJq@ohm.59.ca> <845A0B33-D115-4BA7-BD4D-ED76B72E0EB3@rub.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <845A0B33-D115-4BA7-BD4D-ED76B72E0EB3@rub.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2NVrVHRis3roml0DLsjB40M8WkQ>
Subject: Re: [openpgp] OpenPGP encryption block modes (Was: The Argon2 proposal seems incomplete (Draft 6))
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 20:44:17 -0000

On Mon, Aug 08, 2022 at 09:19:15PM +0200, Marcus Brinkmann wrote:
> > Am 02.08.2022 um 18:59 schrieb Bruce Walzer <bwalzer@59.ca>:
> > AEAD isn't even a very accurate term in an OpenPGP context. There is
> > no AD (associated data) exposed to the user of such a system. It just
> > doesn't work that way.
> 
> It would be very useful to expose AD in OpenPGP to users to prevent exfiltration attacks in the context of email. See our research at [1].
[...]
> [1] Jörg Schwenk, Marcus Brinkmann, Damian Poddebniak, Jens Müller, Juraj Somorovsky, and Sebastian Schinzel. 2020. Mitigation of Attacks on Email End-to-End Encryption. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, New York, NY, USA, 1647–1664. https://doi.org/10.1145/3372297.3417878
> 
> Preprint available here: https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/12/06/schwenk2020.pdf

Correct me if I am wrong, but the basic idea here is to include
information about the context that existed at the time of encryption
in the associated data (AD) of a AEAD encrypted packet. A receiver of
such a packet could then check to see if the context had changed, and
if it had, if it had changed in a reasonable way.

>From the linked paper:

> ...EFAIL-MG has been mitigated in IETF standards with the
> introduction of Authenticated Encryption with Associated Data (AEAD)
> algorithms.

I don't accept that the addition of AEAD modes to the standard
provides any benefit over what can be done with the exiting well
standardized SEIPD-MDC mode against EFAIL-MG. So I can't assume that
any mode with AD has to exist. This would have to stand as a argument
to provide such a mode on its own to be compelling to me.

Would sending this context data in plain text as AD even be the best
choice here? Wouldn't it be better to prevent attacker knowledge of
this data by encrypting it? Why give the attacker information about
the context they would have to forge?

One way this might be done would be to define a new packet type for
context and add that packet into the encrypted SEIPD-MDC packet. That,
in theory, would be entirely compatible with existing usage. That
would be as opposed to creating AEAD packets that are entirely
incompatible with existing usage.

Bruce

v2.23.0 | Report a Bug | By Email