[openpgp] changing the trailer for hashed data in v5 OpenPGP signatures
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 19 November 2022 02:05 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18005C14CEE4 for <openpgp@ietfa.amsl.com>; Fri, 18 Nov 2022 18:05:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=giYwYESx; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=X7y3HzSc
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAuZSX6KltZu for <openpgp@ietfa.amsl.com>; Fri, 18 Nov 2022 18:05:21 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93E52C14CEE2 for <openpgp@ietf.org>; Fri, 18 Nov 2022 18:05:21 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1668823519; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=9tOT0pXbbQj2pkGjRytVb7DdZGGQUY7VTIwIVvk4ChU=; b=giYwYESxBSSaCspFgW2hQWv47igXaZNdYQBOtMKNJENPmMT59HYaks92bupB2/HcrORsj ktdXZWlqZomaMLyCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1668823519; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=9tOT0pXbbQj2pkGjRytVb7DdZGGQUY7VTIwIVvk4ChU=; b=X7y3HzScpltfP8SXfmLb2y/G2hLIzh7N0h77pVOeRIN/08+cvJ+Jtg9fYdoK/rUb6wkgR tGLHqchtZs9Q1RkGom86wXqoM8hW3oqGbDROQnCqZOQ2vQH7/TCKi7TQ//ZKjArr0lKcpBZ K9R9Zunk3J8gWBsTox1vnYIgV+VOMu0h0dotzQju+DbcC0X9H4pUfuenFSZQlXQoKqTjQOi cclq9EmDsFCaiIA5cNlF6BzOPtXWQJDPP1D5+j9wr9rgA053lfoYAGzSfbjoyXWCz6McckY QTKSqnz972DqlCz5Du32rN7AfsIGbtynazZRJU0ozLV6Vx3rUPlEW4ZstrVQ==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 36F85F9AD for <openpgp@ietf.org>; Fri, 18 Nov 2022 21:05:19 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 7474B204E6; Fri, 18 Nov 2022 21:05:16 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 18 Nov 2022 21:05:13 -0500
Message-ID: <87r0xzzokm.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Uqkd3x_stSidD5AQA5ksirsh6vs>
Subject: [openpgp] changing the trailer for hashed data in v5 OpenPGP signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Nov 2022 02:05:27 -0000
Hi all-- In the IETF 115 meeting, we discussed the concern that a v5 signature could be replayed as a v3 signature across subtly different data due to there being a simple and accidental aliasing between the trailer of the data hashed for a v3 signature and the trailer of the data hashed for a v5 signature. This concern was identified by Demi Marie Obenour over here: https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/130 I've written a patch to the draft to address this, but it's not ready to be merged yet because i haven't been able to validate the existing certificate yet (see my other message to this list from today, Message-Id: <87sfifzp3a.fsf@fifthhorseman.net>. So i haven't updated the certificate with this change. You can see the proposed change (without the updated sample certificate) below, and in https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/220 ----- But in reviewing this, i've come across another question: do we really need the larger trailing suffix for v5 signatures? v4 signatures have a four-octet suffix that is a big-endian representation for the trailer size. v5 signatures currently change that to eight-octets, which is is where the v5→v3 ailiasing problem comes into play. But this value represents the size of the *trailer*, not the size of the message itself. So the increase is necessary for trailers larger than 4GiB. Is this necessary? The trailer consists of: a) one octet each of: sigversion, sigtype, pubkeyalgo, hashalgo b) hashed subpackets length and body c) one octet of sigversion d) one octet of 0xff e) size of a and b together The only variable-length field here is the hashed subpackets. Do we really have a use case where the hashed subpackets will end up being so close to 4GiB (the largest possible size due to the construction of the v5 signature packet itself) that the four additional octets will push it over the limit? If my analysis is right, i think we can leave the trailer length at four octets instead of eight for v5 signatures, which would simplify things even further, and still solve the v5→v3 aliasing problem. My edits in this message do *not* propose that change, but if people here think this is sound, i'm happy to take another crack at this. Regards, --dkg
- [openpgp] changing the trailer for hashed data in… Daniel Kahn Gillmor
- Re: [openpgp] changing the trailer for hashed dat… Daniel Huigens
- Re: [openpgp] changing the trailer for hashed dat… Daniel Kahn Gillmor