IETF Logo Mail Archive

Re: [openpgp] Padding packets

Ángel <angel@16bits.net> Wed, 15 June 2022 23:43 UTC

Return-Path: <angel@16bits.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32E14C14CF0E for <openpgp@ietfa.amsl.com>; Wed, 15 Jun 2022 16:43:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=16bits.net header.b=Csle72G6; dkim=pass (2048-bit key) header.d=16bits.net header.b=JzSz3US+
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gixXke5Ff7dQ for <openpgp@ietfa.amsl.com>; Wed, 15 Jun 2022 16:43:04 -0700 (PDT)
Received: from mail.direccionemail.com (mail.direccionemail.com [199.195.249.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD056C14F72C for <openpgp@ietf.org>; Wed, 15 Jun 2022 16:43:04 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=16bits.net; s=ec2206; t=1655336581; bh=1fPFumxcns0PPyKmQgVRB2LnwA8hPSwxfBu5fK3XcnI=; h=Subject:From:To:Date:In-Reply-To:References:Content-Type: Content-Transfer-Encoding:MIME-Version; b=Csle72G6Sb/ED7T6YS2MQz5jCUNa4gpGRqRGXY37GhgcwECBId7LjSrsEUWApXFPh QTnbKwO4AJ5NCznoQ3oDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=16bits.net; s=rsa2206; t=1655336581; bh=1fPFumxcns0PPyKmQgVRB2LnwA8hPSwxfBu5fK3XcnI=; h=Subject:From:To:Date:In-Reply-To:References:Content-Type: Content-Transfer-Encoding:MIME-Version; b=JzSz3US+A8rkboabY2Z2ocky48sWmTMsabK9FBjGWmMMn0FQMJ84PFh5AXr/wpT6F +ZJjU/6YqK80AcIlWaNZ9uOF7yLqzCHfVXIQj9w0ZxKBuJ5KRQmgdslNfPSBGxKZln 7fTyHFQwi2rO1i7Ys68PVBkd1oYPYnDZVOtFTsUwYKh/2Jp2lFE4E3oFZ2yyrmuzq8 Xbjh7zdWHQYhMtq3+xMCXI++X1R6q+SBDZZ6JZboKRTZdpuee6uaLKtfLnUiCYV2VS wHrC/uRC4vG8mRztbxtG4p2azsRWo0SzeJHIvI/wH+MAqcesON6AGhCaO3Yfg+JGo8 OaMOOFHgwfebQ==
Message-ID: <83cce07c67f67c19b06c0c4239b6f335512a9a6f.camel@16bits.net>
From: Ángel <angel@16bits.net>
To: openpgp@ietf.org
Date: Thu, 16 Jun 2022 01:43:00 +0200
In-Reply-To: <87wndi88ri.fsf@wheatstone.g10code.de>
References: <87wndi88ri.fsf@wheatstone.g10code.de>
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/HE6LgLv8A3OFx65t6LumBf6RcDU>
Subject: Re: [openpgp] Padding packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2022 23:43:10 -0000

On 2022-06-15 at 13:29 +0200, Werner Koch wrote:
> Hi!
> 
> The idea of a padding packet is in general a good idea and has been
> discussed many times:
> 
>    5.14.  Padding Packet (Tag 21)
> 
>    The Padding packet contains random data, and can be used to defend
>    against traffic analysis (see Section 14.10) on version 2 SEIPD
>    [...]
>    Its contents SHOULD be random octets to make the length obfuscation
>    it provides more robust even when compressed.
> 
> The problem with random padding packets is that this opens a high
> capacity channel with all its problems.

I agree. I think this was noted in the past, as well.


However, we don't need this to be random, it can be deterministic yet
incompressible.
Take a symmetric-key algorithm, use it in counter mode with the hash of
the previous packet as key (or IV). That will produce an output which
should not be compressible. Yet, it produces a deterministic padding
that can be verified by the receiving application.


> A better mechanism to add padding is by handling
> this at the MIME layer.

How do you expect to handle this at the MIME layer? Or even if it's not
use in the context of an email message?


See for instance the scenario posed last year in
https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064771.html
(Message-ID: <780b90f468c3e160b56121e2ed02a564cb0429f8.camel@16bits.net)

That's in the context of WKD, where an external observer could
determine the openpgp keys fetched *inside an https transport*.
How would "MIME padding" fix that?


Regards

v2.23.0 | Report a Bug | By Email