IETF Logo Mail Archive

[openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages

Daniel Huigens <d.huigens@protonmail.com> Fri, 19 May 2023 14:42 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DF1DC15108F for <openpgp@ietfa.amsl.com>; Fri, 19 May 2023 07:42:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nCHZ0XqjQJK for <openpgp@ietfa.amsl.com>; Fri, 19 May 2023 07:42:39 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE221C14CF12 for <openpgp@ietf.org>; Fri, 19 May 2023 07:42:39 -0700 (PDT)
Date: Fri, 19 May 2023 14:42:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1684507357; x=1684766557; bh=fEbTmKm57G7J7gf0rO2DHyfu1uYXWbFRMPNwbmqYZjA=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=vFMrV+aHb3VGkHGh3zCyKE5BiDvryS3tbaVUXjO/qCsYQPXTfzPTs6nRbCL5o2/te qOtSkNf8M28UIX2l+Hv7eMp3T19uA9vEn/E3aqQkY8lNJTt8Xwq8zj1Cyl6SGme6+W bPl/0y2WbfkiWFcr6GwNPcRTW88CC2l9S13/a41I4wIjhJXlSJ2Baeo/x6qqWBAmWz Bshzms4/Mj4q/Ln8tfRWwenK8InWDaK1Rf1Iz/kkeevRFhiSIKnxrAz4QDWbEQLqDj UiMw/XcaRiJMHSwhp8NFc0AALUb2HhUbanj9NheQgKo59pz3queEL0un6WyyfQ4eYp ZEJ4geGeH238Q==
To: IETF OpenPGP WG <openpgp@ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <LaSdaOASqnixctT3XuZHNIeldK2IPqJvHbqo_qkFjdrMBOQ4SKhiWl_76xq2P6l2Wts9rJ6MTTRLfpj9sqyG4_F4etjNcgEt6pmmtuyfsBY=@protonmail.com>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/4USiQor2xDYfbMyPboTim-hHW1s>
Subject: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 14:42:44 -0000

Hi all,

(The following question came up in [!309], but I thought it might be
worth bringing to the list.)

In OpenPGP.js and GopenPGP, cleartext signed messages with header names
other than "Hash" are rejected. The reason is to prevent messages like:

    -----BEGIN PGP SIGNED MESSAGE-----
    Reminder: I need you to wire $100k to 12345566 as soon as possible.

    Thank you!
    -----BEGIN PGP SIGNATURE-----
    [...]

from being able to trick a user into thinking the entire message was
signed.

These checks were introduced after security audits by [Cure53] and
[SEC Consult] pointed out the issue in OpenPGP.js and Go's x/crypto
respectively, with the latter even getting a [CVE] assigned to it.

V6 cleartext signed messages introduce a "SaltedHash" header, since v6
signatures include a salt at the start of the hashing context; so it's
necessary to know the salt in advance if you want to verify the message
in one pass (without buffering the cleartext).

But, this means that cleartext signed messages that are signed using
both a v4 and a v6 signature won't be backwards compatible, at least
for OpenPGP.js and GopenPGP.

I don't think this is a huge showstopper because clearsigned messages
are anyway not the preferred way of signing messages, and we can update
OpenPGP.js and GopenPGP relatively easily to also allow the "SaltedHash"
header.

That being said, I'm also not sure streaming verification of clearsigned
messages (without buffering) is super important, since they're likely to
be small? So maybe it would be better to drop the header, or drop it for
mixed messages (with both v4 and v6 signatures)?

In any case, I don't have a super strong opinion about this, but I'm
curious to hear what the WG thinks. I can make a MR if there seems to
be consensus on this one way or another.

And, apologies for bringing this up so late!

Best,
Daniel


[!309]: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/309#note_1396560093
[Cure53]: https://github.com/openpgpjs/openpgpjs/wiki/Cure53-security-audit
[SEC Consult]: https://seclists.org/fulldisclosure/2019/May/16
[CVE]: https://nvd.nist.gov/vuln/detail/CVE-2019-11841

v2.23.0 | Report a Bug | By Email