Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)

Ángel <angel@16bits.net> Mon, 03 October 2022 00:24 UTC

Return-Path: <angel@16bits.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C178C14F607 for <openpgp@ietfa.amsl.com>; Sun, 2 Oct 2022 17:24:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=16bits.net header.b=qISz8DVP; dkim=pass (2048-bit key) header.d=16bits.net header.b=YmGl6NR8
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7IcyzWebJL9 for <openpgp@ietfa.amsl.com>; Sun, 2 Oct 2022 17:24:41 -0700 (PDT)
Received: from mail.direccionemail.com (mail.direccionemail.com [199.195.249.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6897CC14F723 for <openpgp@ietf.org>; Sun, 2 Oct 2022 17:24:40 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=16bits.net; s=ec2208; t=1664756678; bh=cYRDuFOoDNhSmVOnTwaDA/HYM4R4ooQ4IBet8YpKMuw=; h=Subject:From:To:Date:In-Reply-To:References:Content-Type: Content-Transfer-Encoding:MIME-Version; b=qISz8DVPNwwV2KOM4p0CLzUXkZ1obHjd/r3Ue0Kj/TWnJfuHcvlW1pehByjN++vDe w84B8+LRYNz1eAZLPwnCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=16bits.net; s=rsa2208; t=1664756678; bh=cYRDuFOoDNhSmVOnTwaDA/HYM4R4ooQ4IBet8YpKMuw=; h=Subject:From:To:Date:In-Reply-To:References:Content-Type: Content-Transfer-Encoding:MIME-Version; b=YmGl6NR8OjxIUggMwg2sDyqDzeuKUSmyooD57b5+FfNgDPDs6OuhlkKPrS+5aOi2X /2H+1BuoDc323PhJtbi3NUYJTlEacBUJzs8NVr7KYTuNIymZQSs4cjEz8hGpoQoDc0 aV8mF4ZWZcrJH4oj1fe0Ch3MuE51GZQpawYbHLF61DKB+9lABdXguMsP38A7Xo6GCT OFl4Nt09WrSTSI+ASJipHs799mgOXRuYSN/tGPnJbLOYjfUiHynqahkiCGSR6d196R vGdecv4B/bK8Pd4p1uLNwSzZ15+E6ysfboe+hd7WXi+v4oLv3hXCscwgjG12t5LXuA HbKq0y6WlPZhA==
Message-ID: <cc86c7af342e281d84e168b893e5419d8eb9effb.camel@16bits.net>
From: Ángel <angel@16bits.net>
To: openpgp@ietf.org
Date: Mon, 03 Oct 2022 02:24:37 +0200
In-Reply-To: <53ECC178-1B3D-40AE-A684-6469BEBB1426@rub.de>
References: <TTJa-QE7jZWshZLtu4wDR8N6DRYsKWd1S6cV-ze8q9DVO8wzAm5T4fpIEXNsoEU2Psq2oG9HWnH_0bfbzBFVvk2ROMwPNXwlinPnnKw57pM=@protonmail.com> <53ECC178-1B3D-40AE-A684-6469BEBB1426@rub.de>
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/7VqJGyh6zJrV5TFJe0HG3NnYago>
Subject: Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Oct 2022 00:24:46 -0000

On 2022-08-18 at 01:12 +0200, Marcus Brinkmann wrote:
> Yes, and we limited our investigation to email encryption only
> because that was a nicely scoped academic research task. Even just
> adding some mime type, file ending, or any other meaningful label as
> context parameter would be useful to disable potential attacks that
> exploit context confusion across different application domains (for
> example stuffing email ciphertexts into OpenOffice documents should
> they support public key document encryption in the future).

For the record, it is already possible to encrypt OpenOffice documents
(i.e. OpenDocument) using OpenPGP keys, in what might be a LibreOffice
extension: 
https://conference.libreoffice.org/assets/Conference/Rome/Slides/libocon2017gpg4libre.pdf


It seems like a "normal" password-encrypted document where the key is
available through OpenPGP.

META-INF/manifest.xml looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0" manifest:version="1.2" xmlns:loext="ur
n:org:documentfoundation:names:experimental:office:xmlns:loext:1.0">
 <loext:keyinfo>
  <loext:encrypted-key>
   <loext:encryption-method loext:PGPAlgorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
   <loext:KeyInfo>
    <loext:PGPData>
     <loext:PGPKeyID>{base64 of ASCII fingerprint of the main key}</loext:PGPKeyID>
     <loext:PGPKeyPacket>{base64 of ASCII fingerprint of the main key}</loext:PGPKeyPacket>
    </loext:PGPData>
   </loext:KeyInfo>
   <loext:CipherData>
    <loext:CipherValue>{OpenPGP encryypted data}</loext:CipherValue>
   </loext:CipherData>
  </loext:encrypted-key>
 </loext:keyinfo>
 <manifest:file-entry manifest:full-path="/" manifest:version="1.2" manifest:media-type="application/vnd.oasis.opendocument.t
ext"/>
 <manifest:file-entry manifest:full-path="styles.xml" manifest:media-type="text/xml" manifest:size="12337">
  <manifest:encryption-data manifest:checksum-
type="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#sha256-1k"
manifest:ch
ecksum="4AfV2B3IFXUKhnXhd8dH3xD1kyrxL1nHKmHLVyTwKYQ=">
   <manifest:algorithm manifest:algorithm-name="
http://www.w3.org/2001/04/xmlenc#aes256-cbc" manifest:initialisation-
vector="{base64 of IV}"/>
   <manifest:key-derivation manifest:key-derivation-name="PGP"/>
  </manifest:encryption-data>
 </manifest:file-entry>
 <manifest:file-entry manifest:full-path="settings.xml" manifest:media-
type="text/xml" manifest:size="12055">
 ...
 </manifest:file-entry>
</manifest:manifest>

Regards