Re: [openpgp] Tapping Into Format Oracles in Email End-to-End Encryption
iang <iang@iang.org> Fri, 20 January 2023 11:33 UTC
Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C624CC151717 for <openpgp@ietfa.amsl.com>; Fri, 20 Jan 2023 03:33:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmbsLEl9TGjw for <openpgp@ietfa.amsl.com>; Fri, 20 Jan 2023 03:33:29 -0800 (PST)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37205C151708 for <openpgp@ietf.org>; Fri, 20 Jan 2023 03:33:28 -0800 (PST)
Received: from virulha.pair.com (localhost [127.0.0.1]) by virulha.pair.com (Postfix) with ESMTP id C84AD6D6E0; Fri, 20 Jan 2023 06:33:26 -0500 (EST)
Received: from [127.0.0.1] (iang.org [209.197.106.187]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id 3BF8B6D6EF; Fri, 20 Jan 2023 06:33:26 -0500 (EST)
Message-ID: <97d19d89-23de-df45-ef55-a2071ff8d623@iang.org>
Date: Fri, 20 Jan 2023 13:33:24 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
To: openpgp@ietf.org
References: <1C3A8A72-24B1-42CF-BBCD-FFAC4CF7EA72@rub.de>
From: iang <iang@iang.org>
In-Reply-To: <1C3A8A72-24B1-42CF-BBCD-FFAC4CF7EA72@rub.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: mailmunge 3.10 on 209.68.5.166
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/CRY2FCyLMlCCLRio5FUMciuVTAY>
Subject: Re: [openpgp] Tapping Into Format Oracles in Email End-to-End Encryption
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2023 11:33:29 -0000
On 20/01/2023 12:13, Marcus Brinkmann wrote: > My opinion: > > Although limitations in email clients do not lead to practical attacks > in other cases, this is something that can change over time. The > importance of this work is to raise awareness that S/MIME and OpenPGP > are not just static data formats for encryption at rest, but used in > dynamic applications where oracle queries are possible. The OpenPGP > community should be aware of this risk and ensure that the chance for > format oracles in the standard is minimized. PGP has always been a data format, and perhaps always will be. This is a strong assumption. But that assumption may be well past its use-by date. Arguably, every use of PGP rubs up against protocols (*). And when that happens, the discordance between data formats and the protocols leads to a mess. Eg, opportunity for insecurity, but PGP is not to blame bc it's just a data format. This "throw the problem over the wall" approach isn't good for security. You aren't doing security if you just declare your bit good; security is end-to-end, top-to-bottom, from inside to outside, including the people. Lots of people are still using OpenPGP for their secure applications, as one layer in a complex stack. Which may be fine for those people who are used to that, but the success of the market-leading applications points to a different way - top-to-bottom custom protocols with crypto and formats tightly integrated. Eg Signal, Skype, perhaps Apple. Instead of the components model which PGP epitomises. Just how far can we go in delivering protection when OpenPGP isn't part of the protocol design? iang (*) one might be able to say that backups don't rub up against protocols, but it's only partial.