Re: [openpgp] Intent to deprecate: Insecure primitives
ianG <iang@iang.org> Mon, 23 March 2015 19:04 UTC
Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 236631AD0C2 for <openpgp@ietfa.amsl.com>; Mon, 23 Mar 2015 12:04:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJus-LS1s8FW for <openpgp@ietfa.amsl.com>; Mon, 23 Mar 2015 12:04:02 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC7BE1AD333 for <openpgp@ietf.org>; Mon, 23 Mar 2015 12:04:02 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 81EE66D7A3; Mon, 23 Mar 2015 15:04:01 -0400 (EDT)
Message-ID: <5510639F.3030004@iang.org>
Date: Mon, 23 Mar 2015 19:03:59 +0000
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <r422Ps-1075i-0DAFD7F0DE904C66B37F279A05E0CB4A@Williams-MacBook-Pro.local> <sjm8uerhchh.fsf@securerf.ihtfp.org> <550E88DD.3050908@gmail.com>
In-Reply-To: <550E88DD.3050908@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/NKJEnECgy_ZWIjnV7n2UJrfSgMA>
Subject: Re: [openpgp] Intent to deprecate: Insecure primitives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 19:04:04 -0000
On 22/03/2015 09:18 am, Andrew Skretvedt wrote: > I am a curious onlooker with no operational affiliation to the business > of this list (and normally silent), with an observation/question at this > point in this thread: > > Is it considered best practice now to encrypt, then sign? What is the meaning of 'sign'? Do you mean here to sign as if you are affirming that it is you sending the message and you might consider this a digitial signature over your words? If so, then you should sign before encryption, and it's a good idea to do that in cleartext/inline format. Alternatively, are you signing to put a message authentication code over it so that it is securely delivered? In which case, it is better practice to encrypt then sign. While this is not a totally solid rule (it depends on the protocol details) I think this is safe in OpenPGP. > I think I > heard somewhere that SSL/TLS does it the other-way-round and has thereby > innocently created certain problems. GnuPG allows these operations to be > combined on the command line, and then I don't know in what order they > actually occur. Yeah, the research on attacking the order came after these things were thought about in groups. But bear in mind there is a bit of a difference between SHA-style HMACs and RSA-style digsigs. > If you receive an encrypted and signed message, and best practice would > be to, in reasonable time, decrypt from wire-format and re-encrypt to > local format for PFS (which seems to me a really sound policy, given > modern experiences, and might be just as easy as leaving it to your > full-disk-encryption system where you store your mail), might you lose > the ability to provably authenticate the messages in your archive? I can > think of situations where one would not want to lose this ability (e.g. > some sort of dispute or legal proceeding). Yes, that's complicated. Suffice to say that the need to prove that you received a message and didn't change it is way-over-thought in the tech world. 99.999% of it is about having the message [1]. So let's solve the real problems before we make up problems... > Perhaps if they get signed, then encrypted, this problem goes away. But > then why /should/ one do these two operations in one order in the e-mail > context, but perhaps the opposite order in others? (Perhaps I betray my > ignorance at this point.) The reasons are historical. Back then, nobody much knew the difference between authentication and signing. Later on, HMACs were developed for the message integrity. And signing-as-intent fell out of favour because nobody wanted it. So likely a new message suite will include an AE or Authenticated Encryption suite, which will handle all the message integrity. That'll be stripped off, and the message will be delivered plain. Then the software will say who it comes from. If there is a need to keep that proof then we'll likely need another tag to attach to the plaintext message. iang [1] as long as we're talking words. If we're talking transactions then a common dispute is having different 'recollections' of the transaction, and having good MAC'd copies is what we want to achieve.
- Re: [openpgp] Intent to deprecate: Insecure primi… Falcon Darkstar Momot
- Re: [openpgp] Intent to deprecate: Insecure primi… Wyllys Ingersoll
- Re: [openpgp] Intent to deprecate: Insecure primi… Werner Koch
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… Daniel Kahn Gillmor
- Re: [openpgp] Intent to deprecate: Insecure primi… Stephen Farrell
- Re: [openpgp] Intent to deprecate: Insecure primi… Kristian Fiskerstrand
- Re: [openpgp] Intent to deprecate: Insecure primi… Derek Atkins
- Re: [openpgp] Intent to deprecate: Insecure primi… Stephen Paul Weber
- Re: [openpgp] Intent to deprecate: Insecure primi… David Shaw
- Re: [openpgp] Intent to deprecate: Insecure primi… Bill Frantz
- Re: [openpgp] Intent to deprecate: Insecure primi… vedaal
- Re: [openpgp] Intent to deprecate: Insecure primi… Jon Callas
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… Stephen Paul Weber
- Re: [openpgp] Intent to deprecate: Insecure primi… David Shaw
- [openpgp] Intent to deprecate: Insecure primitives David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… Ryan Carboni
- Re: [openpgp] Intent to deprecate: Insecure primi… Jon Callas
- Re: [openpgp] Intent to deprecate: Insecure primi… Peter Gutmann
- Re: [openpgp] Intent to deprecate: Insecure primi… Werner Koch
- Re: [openpgp] Intent to deprecate: Insecure primi… Derek Atkins
- Re: [openpgp] Intent to deprecate: Insecure primi… Daniel Kahn Gillmor
- Re: [openpgp] Intent to deprecate: Insecure primi… Bill Frantz
- Re: [openpgp] Intent to deprecate: Insecure primi… Falcon Darkstar Momot
- Re: [openpgp] Intent to deprecate: Insecure primi… Falcon Darkstar Momot
- Re: [openpgp] Intent to deprecate: Insecure primi… Phillip Hallam-Baker
- Re: [openpgp] Intent to deprecate: Insecure primi… Bill Frantz
- Re: [openpgp] Intent to deprecate: Insecure primi… Derek Atkins
- Re: [openpgp] Intent to deprecate: Insecure primi… Derek Atkins
- Re: [openpgp] Intent to deprecate: Insecure primi… Andrew Skretvedt
- Re: [openpgp] Intent to deprecate: Insecure primi… ianG
- Re: [openpgp] Intent to deprecate: Insecure primi… ianG
- Re: [openpgp] Intent to deprecate: Insecure primi… Christoph Anton Mitterer
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… Christoph Anton Mitterer
- Re: [openpgp] Intent to deprecate: Insecure primi… ianG
- Re: [openpgp] Intent to deprecate: Insecure primi… Ben McGinnes
- Re: [openpgp] Intent to deprecate: Insecure primi… Tom Ritter
- [openpgp] Intent to deprecate: Insecure primitives David Leon Gil