Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)

Marcus Brinkmann <marcus.brinkmann@rub.de> Wed, 17 August 2022 23:13 UTC

Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EC21C15948E for <openpgp@ietfa.amsl.com>; Wed, 17 Aug 2022 16:13:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 457i7TwE-63H for <openpgp@ietfa.amsl.com>; Wed, 17 Aug 2022 16:13:34 -0700 (PDT)
Received: from out3.mail.ruhr-uni-bochum.de (out3.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:8:1001::8693:359b]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1B6AC1524D5 for <openpgp@ietf.org>; Wed, 17 Aug 2022 16:12:57 -0700 (PDT)
Received: from mx3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out3.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4M7P1x4TrKz8S8C; Thu, 18 Aug 2022 01:12:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1660777973; bh=A7WX30JsllLCRAMKWYGfihcL2HSricB1jkvER3Z3JXY=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=0jpHZtCK9rk+R2Bz3hkuUCW6uTYKJFbXJd3wWAScAWEJ8cj+dIaLhHrraoD3vp1zO pCbHtrgTLm3EWENa3pkEMn072Ppn62Ltn6+vZqbyEkWblvgbS9IbER9WcYT2SlvaJ2 offK+scLdq7y00tkP6vX5Brr1LoBsN0yeWAqKqGs=
Received: from out3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx3.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4M7P1x3fNRz8S6h; Thu, 18 Aug 2022 01:12:53 +0200 (CEST)
X-Envelope-Sender: <marcus.brinkmann@rub.de>
X-RUB-Notes: Internal origin=IPv6:2a05:3e00:c:1001::8693:2aec
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001::8693:2aec]) by out3.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 4M7P1x1kV5z8S7T; Thu, 18 Aug 2022 01:12:53 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.104.1 at mx3.mail.ruhr-uni-bochum.de
Received: from smtpclient.apple (int-63-147.vpn.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:5::a05:3f93]) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4M7P1v5WZBzDgyq; Thu, 18 Aug 2022 01:12:51 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.104.2 at mail2.mail.ruhr-uni-bochum.de
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
Message-Id: <53ECC178-1B3D-40AE-A684-6469BEBB1426@rub.de>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DB1F49EB-04CA-470C-9519-D52054DF7684"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Date: Thu, 18 Aug 2022 01:12:51 +0200
In-Reply-To: <TTJa-QE7jZWshZLtu4wDR8N6DRYsKWd1S6cV-ze8q9DVO8wzAm5T4fpIEXNsoEU2Psq2oG9HWnH_0bfbzBFVvk2ROMwPNXwlinPnnKw57pM=@protonmail.com>
Cc: openpgp@ietf.org
To: Daniel Huigens <d.huigens@protonmail.com>
References: <TTJa-QE7jZWshZLtu4wDR8N6DRYsKWd1S6cV-ze8q9DVO8wzAm5T4fpIEXNsoEU2Psq2oG9HWnH_0bfbzBFVvk2ROMwPNXwlinPnnKw57pM=@protonmail.com>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/EdS6TDAYxawuschOq-SwmMHVe3s>
Subject: Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 23:13:40 -0000

Hi Daniel,

> Am 17.08.2022 um 16:15 schrieb Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>:
> On the one hand, I personally think that supporting multiple encrypted
> parts, or mixing encrypted and unencrypted parts, and replacing an
> encrypted MIME part with an unencrypted part in-place, is fraught, and
> in ProtonMail we don't support it. Nevertheless, I know it's something
> that is done, and some users expect it.
> 
> On the other hand, I agree that having some binding between the
> encryption and the email context would be valuable. In an ideal world,
> we would all be using PGP/MIME with protected headers, but as you point
> out, PGP/MIME can also be downgraded to PGP/Inline, so that might not
> even be sufficient.

Yes, and we limited our investigation to email encryption only because that was a nicely scoped academic research task. Even just adding some mime type, file ending, or any other meaningful label as context parameter would be useful to disable potential attacks that exploit context confusion across different application domains (for example stuffing email ciphertexts into OpenOffice documents should they support public key document encryption in the future).

> So, I agree it could be valuable to add something like this, though
> it's a bit last minute. But we could indeed do so for SEIPDv2 without
> breaking stuff. However, to do so we would need to define somewhere
> what the AD should be, for example in a spec about PGP/MIME, and
> perhaps also for PGP/Inline, etc.

It would be great to get some consideration to this, so I am glad to help in any way I can.

In the paper we describe a simple approach where the context data is just the AD. In OpenPGP, the AD already contains some metadata. Here I would suggest to add a variable length field to the AD of every chunk with a two-octet length followed by raw context parameter that would be provided upon encryption and decryption by the implementation. Note that in general the context parameter should not itself be included in the OpenPGP data structures, because that would invite implementations to „cheat“ and to use the included context parameter instead actually deriving the context parameter from, well, the context.

Some design options (feel free to ask for more details):

* Use a fixed length field instead of a variable length field, and define how the context parameter is compressed into it with a hash function. Don’t recommend, because it adds an extra assumption to the security reduction and duplicates what the AEAD already does. (In the rare case where the AD is massive and slows down chunk verification, it could already be hashed by the application instead at the application’s own peril). Also, if no context parameter is used this is less efficient and requires a default value.

* Use a PRF to include the context data in the key derivation (similar to how the per-message salt works). This is an alternative for legacy (non-AEAD) ciphers. We have a security proof for this based on the PRF assumption, the collision-security of the hash function used by the PRF, and the CCA and INT-CTXT security of the encryption. Don’t recommend, because why bother with this? Just use an AEAD mode.

* For recovery and debugging purposes, one might optionally want to include the context parameter in the OpenPGP packet (not just the AD during encryption/decryption) despite the risks that this entails. This is dangerous, because it allows applications to „cheat“ and decrypt outside of the intended context at will. However, there may be use cases where it is important to be able to decrypt even if the original context is lost. Don’t recommend because it feels like a trap to me, but it could alleviate some valid concerns.

> As a slightly orthogonal point, there have also been security issues
> with signatures being reused in different contexts. The Intended
> Recipient Fingerprint subpacket fixes one of those, but not all.
> I think it would be valuable to have a `context` parameter in OpenPGP
> that is used for both signatures and encryption, and then the
> higher-level spec or application using OpenPGP can define how the
> context should be computed. That might also address some of the
> concerns in your other message about email signature spoofing,
> perhaps.

Yes, thank you for raising the subject of signatures. I do agree there is value in signing contexts. For example, a PGP/Inline attachment is a signature over the raw binary content of the attachment, and that could possibly be substituted as a Debian package or Git commit signature in a phishing attack. To prevent this entirely, adding a context label to signature generation and verification would be helpful. A more relevant example would be MIME wrapping signatures from our „Johnny you are fired!“ paper, where a valid signature is included in a larger MIME email with multiple parts, and possibly the ID attacks from that paper depending on how emails implement the context derivation.

We did discuss signing contexts shortly at the time, but decided to not cover them in the paper. First, focussing on encryption made sense for the purpose of academic review and publishing. But also because cryptographically the solution is pretty simple: Just hash more data when signing. This does not strictly require a new API. However, to make this actually work in practice there has to be a global policy for a guaranteed length field or separator that can not be omitted and that ensures that messages with different contexts (including no context) can not overlap. This is something that would need be best specified in the OpenPGP standard to be effective. I do regret now that we did not at least mention this explicitly in future work.

> If there is interest in this, I can make some MRs proposing changes to
> that effect.

Happy to review and/or help in any way I can.

Thanks,
Marcus

> ------- Original Message -------
> On Monday, August 8th, 2022 at 21:19, Marcus Brinkmann wrote:
> 
>>> Am 02.08.2022 um 18:59 schrieb Bruce Walzer bwalzer@59.ca:
>> 
>>> AEAD isn't even a very accurate term in an OpenPGP context. There is
>>> no AD (associated data) exposed to the user of such a system. It just
>>> doesn't work that way.
>> 
>> 
>> It would be very useful to expose AD in OpenPGP to users to prevent exfiltration attacks in the context of email. See our research at [1].
>> 
>> Thanks,
>> Marcus
>> 
>> [1] Jörg Schwenk, Marcus Brinkmann, Damian Poddebniak, Jens Müller, Juraj Somorovsky, and Sebastian Schinzel. 2020. Mitigation of Attacks on Email End-to-End Encryption. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, New York, NY, USA, 1647–1664. https://doi.org/10.1145/3372297.3417878
>> 
>> Preprint available here: https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/12/06/schwenk2020.pdf
>> 
>> —
>> Dipl.-Math. Marcus Brinkmann
>> 
>> Lehrstuhl für Netz- und Datensicherheit
>> Ruhr Universität Bochum
>> Universitätsstr. 150, Geb. ID 2/461
>> D-44780 Bochum
>> 
>> Telefon: +49 (0) 234 / 32-25030
>> http://www.nds.rub.de/chair/people/mbrinkmann
>> 
>> _______________________________________________
>> openpgp mailing list
>> openpgp@ietf.org
>> https://www.ietf.org/mailman/listinfo/openpgp

—
Dipl.-Math. Marcus Brinkmann

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum

Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann