IETF Logo Mail Archive

Re: [openpgp] Padding packets

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 15 July 2022 16:53 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 299C6C1594AD for <openpgp@ietfa.amsl.com>; Fri, 15 Jul 2022 09:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.313
X-Spam-Level:
X-Spam-Status: No, score=-1.313 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=7qdqbGeO; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=mWR5xuDC
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzQMzkx07g4G for <openpgp@ietfa.amsl.com>; Fri, 15 Jul 2022 09:53:47 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8307C1A5D15 for <openpgp@ietf.org>; Fri, 15 Jul 2022 09:53:12 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1657903990; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=pzPkMwYLWvFWqtwiEr/kqoH2FChpN1Uw2bFUh5DOBQg=; b=7qdqbGeOM3aN2jV0mNJboXcURvYjDJheYEEQ2ZUG+DL2DUmoSOsRcNvvvj4rLOKuOXaWx 6X7tZKzIt986QGNAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1657903990; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=pzPkMwYLWvFWqtwiEr/kqoH2FChpN1Uw2bFUh5DOBQg=; b=mWR5xuDCWvYTox8JM6HdQbvVJrJlDznrKmLlFftp9y/p1Ig+v/ol6J6Zp5DUW9XYxphAq 2B+10ii+v+8SfoXO+zIqS7LPeuhRTqsK1jvBF+E+R3tJOgL7vURWKR4GguvM1wAXWDLDWOs 2Pq56wGMoFUL//fBJ0DJfd/hovjwQ1KYP+uW2ECbWZ3NrX4G1tzpjeYBIeOH7jnmVujVpft xkGZw+7wbNMpWLE8XjIyRIRFIxqQ3OtQdP7oEsqkejd+MHLwh9YzFrU63tekofkcHBfLtGa DresOaaVM39kaLHBbEktmeK2Cag/wFxTLBCcygYD3KLydlLruIxZuZpbIUUg==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id E5451F9AD; Fri, 15 Jul 2022 12:53:09 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 7B03F203CD; Fri, 15 Jul 2022 12:53:07 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, openpgp@ietf.org
In-Reply-To: <4296a824-f7b0-0af4-22fa-0c4b66f1d359@cs.tcd.ie>
References: <87wndi88ri.fsf@wheatstone.g10code.de> <4296a824-f7b0-0af4-22fa-0c4b66f1d359@cs.tcd.ie>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 15 Jul 2022 12:53:06 -0400
Message-ID: <87pmi6tj0t.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Lm-U7KEhx1t2eJWFRkGqdjC9ZDk>
Subject: Re: [openpgp] Padding packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2022 16:53:53 -0000

On Fri 2022-07-15 11:45:47 +0100, Stephen Farrell wrote:
> If I were to suggest that we've converged onto merge
> request 204 ([2], use zeros for padding, recommend not
> compressing them) would I be wrong? Please correct me
> if so before Tuesday 19th if you can.

Thanks for this summary, Stephen!

With no hats on, I still prefer the status quo: no changes to the draft
text, encouraging but not requiring the use of high-entropy data in the
padding packet.

But I would be willing to accept merging something similar to (but
looser than) 204.  For example, encouraging the use of all-zeros and
recommending avoiding compression.

And if folks are ok with more complexity, I'd also be OK with something
similar to (but looser than) 203: encouraging the use of a pseudorandom
function with a reasonably high-entropy seed from a
variable-but-derivable value, that a wary recipient could confirm, and
warn about if it doesn't match (meaning there's a likely covert
channel).  but oof, that's a mouthful just to produce a warning that i
think is ultimately unactionable.

However, in its current state, i don't think 204 is OK.  it contains two
unenforcable MUSTs:

 1) Its contents MUST be all zero octets
 2) Padding MUST NOT be used in combination with compression at a higher level

While the generating application can obey point 1, it won't be a true
MUST (that is, causing a protocol interop failure if it isn't followed)
unless some *recipient* rejects any padding packet that is found to not
contain all-zeros.  That introduces unnecessary brittleness and i don't
think it's a good idea for the ecosystem.  why introduce this interop
failure?

For point 2, it (a) isn't enforcable by the generating application (in
many cases, you don't know whether the OpenPGP packet sequence you
produce will be transmitted over or stored on a compressed medium) and
(b) if it is enforced by the receiving application, will cause another
form of brittleness.  ("The OpenPGP certificate in this PKZIP file was
invalid because it contained a padding packet with non-zero content;
extract it to a normal decompressed file and then it will be acceptable"
seems like a not-useful workflow).

Even if we accept that these are sensible costs for the ecosystem to
bear, we haven't eliminated covert channels in OpenPGP more generally.
Someone could squat on a non-critical packet type, or inject
experimental subpackets in the non-hashed area, etc, and the covert
channel still exists.  *And* padding packets will be completely
ineffective under compression.

The simplest approach with what i see as the fewest downsides is to
recommend but don't enforce high entropy material in the padding packet.

        --dkg

v2.23.0 | Report a Bug | By Email