IETF Logo Mail Archive

Re: [openpgp] Intent to deprecate: Insecure primitives

ianG <iang@iang.org> Mon, 23 March 2015 19:04 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 236631AD0C2 for <openpgp@ietfa.amsl.com>; Mon, 23 Mar 2015 12:04:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJus-LS1s8FW for <openpgp@ietfa.amsl.com>; Mon, 23 Mar 2015 12:04:02 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC7BE1AD333 for <openpgp@ietf.org>; Mon, 23 Mar 2015 12:04:02 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 81EE66D7A3; Mon, 23 Mar 2015 15:04:01 -0400 (EDT)
Message-ID: <5510639F.3030004@iang.org>
Date: Mon, 23 Mar 2015 19:03:59 +0000
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <r422Ps-1075i-0DAFD7F0DE904C66B37F279A05E0CB4A@Williams-MacBook-Pro.local> <sjm8uerhchh.fsf@securerf.ihtfp.org> <550E88DD.3050908@gmail.com>
In-Reply-To: <550E88DD.3050908@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/NKJEnECgy_ZWIjnV7n2UJrfSgMA>
Subject: Re: [openpgp] Intent to deprecate: Insecure primitives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 19:04:04 -0000

On 22/03/2015 09:18 am, Andrew Skretvedt wrote:
> I am a curious onlooker with no operational affiliation to the business
> of this list (and normally silent), with an observation/question at this
> point in this thread:
>
> Is it considered best practice now to encrypt, then sign?


What is the meaning of 'sign'?  Do you mean here to sign as if you are 
affirming that it is you sending the message and you might consider this 
a digitial signature over your words?  If so, then you should sign 
before encryption, and it's a good idea to do that in cleartext/inline 
format.

Alternatively, are you signing to put a message authentication code over 
it so that it is securely delivered?  In which case, it is better 
practice to encrypt then sign.  While this is not a totally solid rule 
(it depends on the protocol details) I think this is safe in OpenPGP.


> I think I
> heard somewhere that SSL/TLS does it the other-way-round and has thereby
> innocently created certain problems. GnuPG allows these operations to be
> combined on the command line, and then I don't know in what order they
> actually occur.


Yeah, the research on attacking the order came after these things were 
thought about in groups.  But bear in mind there is a bit of a 
difference between SHA-style HMACs and RSA-style digsigs.


> If you receive an encrypted and signed message, and best practice would
> be to, in reasonable time, decrypt from wire-format and re-encrypt to
> local format for PFS (which seems to me a really sound policy, given
> modern experiences, and might be just as easy as leaving it to your
> full-disk-encryption system where you store your mail), might you lose
> the ability to provably authenticate the messages in your archive? I can
> think of situations where one would not want to lose this ability (e.g.
> some sort of dispute or legal proceeding).


Yes, that's complicated.  Suffice to say that the need to prove that you 
received a message and didn't change it is way-over-thought in the tech 
world.  99.999% of it is about having the message [1].  So let's solve 
the real problems before we make up problems...


> Perhaps if they get signed, then encrypted, this problem goes away. But
> then why /should/ one do these two operations in one order in the e-mail
> context, but perhaps the opposite order in others? (Perhaps I betray my
> ignorance at this point.)


The reasons are historical.  Back then, nobody much knew the difference 
between authentication and signing.  Later on, HMACs were developed for 
the message integrity.  And signing-as-intent fell out of favour because 
nobody wanted it.

So likely a new message suite will include an AE or Authenticated 
Encryption suite, which will handle all the message integrity.  That'll 
be stripped off, and the message will be delivered plain.  Then the 
software will say who it comes from.  If there is a need to keep that 
proof then we'll likely need another tag to attach to the plaintext message.

iang



[1] as long as we're talking words.  If we're talking transactions then 
a common dispute is having different 'recollections' of the transaction, 
and having good MAC'd copies is what we want to achieve.

v2.23.0 | Report a Bug | By Email