IETF Logo Mail Archive

Re: [openpgp] Padding packets

Daniel Huigens <d.huigens@protonmail.com> Wed, 22 June 2022 14:44 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59AD7C147921 for <openpgp@ietfa.amsl.com>; Wed, 22 Jun 2022 07:44:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2FlwZhGf079 for <openpgp@ietfa.amsl.com>; Wed, 22 Jun 2022 07:44:03 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D1EAC15948A for <openpgp@ietf.org>; Wed, 22 Jun 2022 07:44:03 -0700 (PDT)
Date: Wed, 22 Jun 2022 14:43:57 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1655909041; x=1656168241; bh=4nkUZXxN8r+/vJx6sriKi4tqGhbPBsVKhojbxe3WL5o=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=HnmuunaxXbipU9mnX2MkmP+ajIqe9A3s1X/V29AVndu35gKx/ORtD1daMF0+OKNHh OnYjVWMmAy7hGyQOrUUNdAqbR0AFwIBYJZikf9kal0nz4M7OVzk6fnhWegA3prvpas iYPaad6uZ5+4V2Hcp2g7gZICxHzpfV2H+xR6Ipj3TZN8PL1evkbzZbTjEMklBBChnZ z7bT6ET6kf6i2uUmFTys5pEQXoLxyBfONztnvyxzpcnPks3N3nbm5HlWF2ULI6ayXF b7EL6yuiq5qprBEk80dbzc3t1RmJoM3IrdCKo7g3yJnC4/C9LxN71RyhJQ4w3sBQNE 368JSkjQZsyGw==
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <59fSO5nTaFt5_RmAFuv4CLyyE69fJYD3aGEZcXBGi9j-6OoXfInFj_j-anaVXp9d96mEbcZER59ajpTcZuEx-qMm8UW6Y-XN5Ro_JiU0_3I=@protonmail.com>
In-Reply-To: <87zgi562n6.fsf@fifthhorseman.net>
References: <87wndi88ri.fsf@wheatstone.g10code.de> <83cce07c67f67c19b06c0c4239b6f335512a9a6f.camel@16bits.net> <o17TAfJTeOZkYp5X-XwNQwnTrCaiKEGnn1ZAL1qLB5CTGKntjwv6dpCIah44pAdH8nHXa4ivte_MMtqXuKP3uhobW5kJk9E6rAEWneD11yA=@protonmail.com> <87czf36uwi.fsf@fifthhorseman.net> <uD26D3k2l-7O9su7otzxmVOfZSOGK4FGCoSr1YRUuRhp7vUpaSDCv1qrI7ieaWz5SEz9APsTob-AUtTP-VQ07AECoLtVlbc9m8pHtQZLz9I=@protonmail.com> <87zgi562n6.fsf@fifthhorseman.net>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/GLm_X4tt4X516x5EskLpgW_iLZs>
Subject: Re: [openpgp] Padding packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2022 14:44:08 -0000

On Wednesday, June 22nd, 2022 at 01:02, Daniel Kahn Gillmor wrote:

> You're right that the metadata fields in OpenPGP packets are themselves
> fairly low-entropy, so the protection a padding packet can provide
> against compression isn't going to be bulletproof.

It's not just that, the content of the message itself is also often
low-entropy, so if we want to hide the length, it shouldn't be
compressed (or should be padded *after* compression).

> IIRC, the padding packet was initially proposed as containing all-zeros,
> as a way to avoid adding yet another side channel; the DT changed it to
> high-entropy data specifically because of concerns about compression.

Yeah, I know. Back then I objected to the language that said that this
was "to make the padding robust against compression", which I didn't
think was true, so it was changed to "more robust". That is of course
better but I would personally still prefer not to imply any robustness
of the (length obfuscation offered by) padding after compression.

> If we recommend that the packet contain all-zeros as proof of
> no-covert-channel, i still don't think it's advisable to require
> implementations to reject the entire packet sequence if any non-zero
> data is found in a padding packet. At most i'd say that some
> implementations may want to warn the user that there may be hidden
> data (but see [] below).

Sure, I'd be fine with that.

> So the padding packet doesn't open a new covert channel, regardless of
> how it is specified.

I agree.

Though one thing I like about this change (or specifying all zeros) is
not having to generate large amounts of random data. Section 14.9
(Random Number Generation and Seeding) gives some guidance about that,
but not having to do so in the first place simplifies things, imo.

But perhaps we can just leave it open; and allow the implementation to
choose between all zeros and random data, for example.

Best,
Daniel

v2.23.0 | Report a Bug | By Email