IETF Logo Mail Archive

Re: [openpgp] Replacing the OpenPGP Encryption Mode is Harmful and Pointless

Bruce Walzer <bwalzer@59.ca> Fri, 15 July 2022 19:27 UTC

Return-Path: <bwalzer@59.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4974C13C50C for <openpgp@ietfa.amsl.com>; Fri, 15 Jul 2022 12:27:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBUIKx5mNPLR for <openpgp@ietfa.amsl.com>; Fri, 15 Jul 2022 12:27:56 -0700 (PDT)
Received: from mail.59.ca (mail.59.ca [205.200.229.83]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8E94C13C50B for <openpgp@ietf.org>; Fri, 15 Jul 2022 12:27:56 -0700 (PDT)
Received: from [10.0.0.2] (helo=ohm.59.ca) by mail.59.ca with esmtpsa (TLS1.3) tls TLS_CHACHA20_POLY1305_SHA256 (Exim 4.94.2) (envelope-from <bwalzer@59.ca>) id 1oCQyT-000KRa-Vd; Fri, 15 Jul 2022 14:27:41 -0500
Date: Fri, 15 Jul 2022 14:27:40 -0500
From: Bruce Walzer <bwalzer@59.ca>
To: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Message-ID: <YtG/rE5D71hJtFyM@ohm.59.ca>
References: <YtFLcfKMEC/vRXY+@watt.59.ca> <8z4hYvgxLiNrfVMLCTfxUFCm6MVzugdNOvjPdvn4qoRF76lESafW0nqnQthrtCGbGK3ire9lqAmrJetJHHCYJiHhxXXgkCWKB5zmPc6Ax-g=@protonmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <8z4hYvgxLiNrfVMLCTfxUFCm6MVzugdNOvjPdvn4qoRF76lESafW0nqnQthrtCGbGK3ire9lqAmrJetJHHCYJiHhxXXgkCWKB5zmPc6Ax-g=@protonmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/WwjRsam1ID_BbPXqusEieEPSdx8>
Subject: Re: [openpgp] Replacing the OpenPGP Encryption Mode is Harmful and Pointless
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2022 19:27:58 -0000

On Fri, Jul 15, 2022 at 12:15:51PM +0000, Daniel Huigens wrote:
[...]

> If the check is there, there's no reason to do the attack, and thus
> the error should only show up if there's some bug, which should be
> caught quickly thanks to the check. So I think that errors being bad
> UX is not a sufficient argument not to have the check (you also have
> to somehow argue why the errors would show up at all).

If the error is in the spec, then I, as the application programmer,
have to deal with it somehow. So I can't get around having to decide
what to provide the user instead of the message they are expecting.

> Then, if you (somewhat) agree with that, I want to bring up a practical
> advantage of the new scheme: it breaks up messages into chunks, which
> can be checked and released to the application individually, instead of
> having to wait for the MDC at the end of the message.

Why would the application programmer perfer having to dechunk the
message?

> > approach based on, you know, authenticity?
> 
> EFAIL is an attack against confidentiality, not just authenticity.

I don't understand how this relates to anything I said in the article.

> That's why it should be fixed at the encryption layer, imo. You might
> also not have the public key of the sender, and requiring that just to

I was not suggesting that anonymous/unsigned messages should be
withheld, only modified.

> Then, you might still ask, why use AEAD instead of OCFB-MDC.
> A proper AEAD scheme integrates confidentiality and integrity, which
> makes providing both more efficient and more secure.

Are we implying here that OCFB-MDC is inefficient? I don't know how
you can get more secure than secure.

> If you want proof
> of that, you should ask a cryptographer instead of me, but a security
> proof is typically included with the paper of any good AEAD scheme.

A proof that depends on a set of assumptions. So all that means is
that to break the scheme you defy the assumptions. For example, if you
assume that your MAC check is invulnerable to attack then you can make
a scheme that entirely depends on the MAC that is also invulnerable
under that assumption.

> A security proof for OCFB-MDC doesn't exist, as far as I know, and
> it's doubtful whether it's possible to provide one, which in itself
> should be worrying, even if nobody has been able to come up with a
> practical attack (so far).

What is the purpose of the security proof in the first place? I would
suggest it is intended to produce schemes that will go a long time
before someone figures out how to break them. If someone could
magically claim that a particular theoretical approach would guarantee
perfect security for 20 years then I think it would be agreed that
that approach was a very good one. OCFB-MDC has already run out that
much time. At some point experience has to trump analysis. If 20 years
is not enough then how long would it take?

Bruce

v2.23.0 | Report a Bug | By Email