Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
Marcus Brinkmann <marcus.brinkmann@rub.de> Fri, 19 August 2022 11:34 UTC
Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4365AC14CF0A for <openpgp@ietfa.amsl.com>; Fri, 19 Aug 2022 04:34:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSO9bGZH4mPN for <openpgp@ietfa.amsl.com>; Fri, 19 Aug 2022 04:34:34 -0700 (PDT)
Received: from out1.mail.ruhr-uni-bochum.de (out1.mail.ruhr-uni-bochum.de [134.147.53.149]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D0CEC14F75F for <openpgp@ietf.org>; Fri, 19 Aug 2022 04:34:33 -0700 (PDT)
Received: from mx1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out1.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4M8KRB2gTqz8S3v; Fri, 19 Aug 2022 13:34:30 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1660908870; bh=5dFQQH1gaYfQ9QG8LhpHJb3uXnz0mpbNYBbQRYUAZ/4=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=HbM8EIwnnVDiTD6guqEN9oM8G8SFz2U/yshvrsDkHkX1qjOQUugkXis3/bafK+o5V 1QHJS7WMesvTUxoGLfIWDlWu8jr4L69NwGAE3kUJtEjftH1SWqE06ECdD2O++USeYx nOTWAN48BrBb1hF9He301sgrq7axlntUZxV5R1po=
Received: from out1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx1.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4M8KRB1t09z8S2y; Fri, 19 Aug 2022 13:34:30 +0200 (CEST)
X-Envelope-Sender: <marcus.brinkmann@rub.de>
X-RUB-Notes: Internal origin=134.147.42.236
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de [134.147.42.236]) by out1.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 4M8KRB0RCyz8S3r; Fri, 19 Aug 2022 13:34:28 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.104.1 at mx1.mail.ruhr-uni-bochum.de
Received: from smtpclient.apple (int-62-224.vpn.ruhr-uni-bochum.de [10.5.62.224]) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4M8KR83FMwzDgym; Fri, 19 Aug 2022 13:34:28 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.104.2 at mail2.mail.ruhr-uni-bochum.de
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
Message-Id: <95CE5F48-3E3E-4A02-B970-66DF82D69C20@rub.de>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5D917284-34A1-48F0-AA0A-96C97D822211"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Date: Fri, 19 Aug 2022 13:34:28 +0200
In-Reply-To: <i6P0E3xBS_J4u4AFSVcRSWr3NFYghskkodZsfxM82rpjIvoHwbMcDaHGO0DJ7LhNRen6XprDItHKS8wzJYUdET1kJk6rwGtyLK2EwycqkFg=@protonmail.com>
Cc: openpgp@ietf.org
To: Daniel Huigens <d.huigens@protonmail.com>
References: <TTJa-QE7jZWshZLtu4wDR8N6DRYsKWd1S6cV-ze8q9DVO8wzAm5T4fpIEXNsoEU2Psq2oG9HWnH_0bfbzBFVvk2ROMwPNXwlinPnnKw57pM=@protonmail.com> <53ECC178-1B3D-40AE-A684-6469BEBB1426@rub.de> <foDBX2xUSvUd4BeEwZNyqSpI7BySuweSXZD7QFww4_sGWbCRdrwR_uqaQef5POcChWtRYAAYMs9_FB1uTvwTGRhqN9mOYsmfADPoWYv5PQw=@protonmail.com> <0846A2FB-E47F-41BB-BE40-0F4C8014D0FB@rub.de> <i6P0E3xBS_J4u4AFSVcRSWr3NFYghskkodZsfxM82rpjIvoHwbMcDaHGO0DJ7LhNRen6XprDItHKS8wzJYUdET1kJk6rwGtyLK2EwycqkFg=@protonmail.com>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/5BNZlVXT73cRXZzj-rmn0DArf5M>
Subject: Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 11:34:39 -0000
Hi, Oh yeah, thanks for pointing out the domain separation strings in those signature schemes. That would work very well together, of course. Thanks, Marcus > Am 19.08.2022 um 13:27 schrieb Daniel Huigens <d.huigens@protonmail.com>: > > Hi Marcus, > > I see, thanks! Yeah, the HKDF already has the packet version number in it, which I assume we'd need to bump if we wanted to add more stuff in the AD. So I think there it shouldn't be an issue, but indeed for signatures it might be needed. > > For the record, some signing algorithms already have a `context` parameter, notably Ed448 which we added to the crypto refresh (and use with an empty context now). In theory, we could use that (and Ed25519ctx) - but for the other algorithms it would be less obvious how to add the context in that case, so I guess it would be easier / simpler to just hash (a length and) the context before the message contents in all cases. > > Best, > Daniel > > ------- Original Message ------- > On Thursday, August 18th, 2022 at 22:47, Marcus Brinkmann <marcus.brinkmann@rub.de> wrote: > >> Hi Daniel, >> >>> Am 18.08.2022 um 20:47 schrieb Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org <mailto:d.huigens=40protonmail.com@dmarc.ietf.org>>: >>>> Here I would suggest to add a variable length field to the AD of every chunk with a two-octet length followed by raw context parameter that would be provided upon encryption and decryption by the implementation. >>> >>> Is there a particular reason for the two-octet length? Can we not simply append the context to what we have now? Not that it would cost much to add a length, just checking if there's some security reason. >> >> Thank you for the question! There is no security reason, you can just append the variable-length context parameter to the AD without a length field, and that is in fact what the prototype implementation that I did for the paper does. >> >> There is just one caveat. If you ever want to add more to the AD, and there is no length field, you have to bump the version number of the v2 SEIPD packet to get separation. >> >> For signing things might be different, as there the document data is already taking up the slot for „variable length data without length field“, so a length field might be needed there (for example, if the context parameter is part of the trailer, an attacker may be able to influence the context parameter to spoof a second trailer that is then valid for a modified document that consists of the original document plus the proper trailer). >> >> Thanks, >> Marcus >> >> — >> Dipl.-Math. Marcus Brinkmann >> >> Lehrstuhl für Netz- und Datensicherheit >> Ruhr Universität Bochum >> Universitätsstr. 150, Geb. ID 2/461 >> D-44780 Bochum >> >> Telefon: +49 (0) 234 / 32-25030 >> http://www.nds.rub.de/chair/people/mbrinkmann <http://www.nds.rub.de/chair/people/mbrinkmann> >> — Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Ángel
- Re: [openpgp] Encryption and signature context pa… Daniel Kahn Gillmor
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Kahn Gillmor
- Re: [openpgp] Encryption and signature context pa… Michael Richardson
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann