Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)

Marcus Brinkmann <marcus.brinkmann@rub.de> Thu, 18 August 2022 20:48 UTC

Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA39C1522D7 for <openpgp@ietfa.amsl.com>; Thu, 18 Aug 2022 13:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxEWi2kTyGuG for <openpgp@ietfa.amsl.com>; Thu, 18 Aug 2022 13:47:56 -0700 (PDT)
Received: from out2.mail.ruhr-uni-bochum.de (out2.mail.ruhr-uni-bochum.de [134.147.42.229]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D282C1522D1 for <openpgp@ietf.org>; Thu, 18 Aug 2022 13:47:55 -0700 (PDT)
Received: from mx2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out2.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4M7xm72hZXz8SQn; Thu, 18 Aug 2022 22:47:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1660855671; bh=FiIdRj0tPVZOnbfFhcfeVV7n7bs/36uFyox9mtULlPY=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=ZY8+f5GUqqD+eYLsYdKciGe6AdARiTD9yIpRJ1JOjMx1x+ijjxnGIuQ7kb+VhjovX SO0+lnNV3zuhi6TfqGVyagkusvG6j0WddFVPHfZ4C+ctKingNw1gLwj9wpF3d9ZLzc ukelrUKbNJAOatNZp8Tv4fY5E/rzsuRL9UOn3W9A=
Received: from out2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx2.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4M7xm71qPWz8SQf; Thu, 18 Aug 2022 22:47:51 +0200 (CEST)
X-Envelope-Sender: <marcus.brinkmann@rub.de>
X-RUB-Notes: Internal origin=IPv6:2a05:3e00:c:1001::8693:2aec
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001::8693:2aec]) by out2.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 4M7xm70Wymz8SQX; Thu, 18 Aug 2022 22:47:50 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.104.1 at mx2.mail.ruhr-uni-bochum.de
Received: from smtpclient.apple (int-60-113.vpn.ruhr-uni-bochum.de [10.5.60.113]) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4M7xm614lTzDgyl; Thu, 18 Aug 2022 22:47:50 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.104.2 at mail2.mail.ruhr-uni-bochum.de
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
Message-Id: <0846A2FB-E47F-41BB-BE40-0F4C8014D0FB@rub.de>
Content-Type: multipart/alternative; boundary="Apple-Mail=_155A138B-0B6D-40C4-A201-6FCE604B09F7"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Date: Thu, 18 Aug 2022 22:47:49 +0200
In-Reply-To: <foDBX2xUSvUd4BeEwZNyqSpI7BySuweSXZD7QFww4_sGWbCRdrwR_uqaQef5POcChWtRYAAYMs9_FB1uTvwTGRhqN9mOYsmfADPoWYv5PQw=@protonmail.com>
Cc: openpgp@ietf.org
To: Daniel Huigens <d.huigens@protonmail.com>
References: <TTJa-QE7jZWshZLtu4wDR8N6DRYsKWd1S6cV-ze8q9DVO8wzAm5T4fpIEXNsoEU2Psq2oG9HWnH_0bfbzBFVvk2ROMwPNXwlinPnnKw57pM=@protonmail.com> <53ECC178-1B3D-40AE-A684-6469BEBB1426@rub.de> <foDBX2xUSvUd4BeEwZNyqSpI7BySuweSXZD7QFww4_sGWbCRdrwR_uqaQef5POcChWtRYAAYMs9_FB1uTvwTGRhqN9mOYsmfADPoWYv5PQw=@protonmail.com>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/aUeUKuIH8DXP1G91sXwR_oqyXJw>
Subject: Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2022 20:48:02 -0000

Hi Daniel,

> Am 18.08.2022 um 20:47 schrieb Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>:
>> Here I would suggest to add a variable length field to the AD of every chunk with a two-octet length followed by raw context parameter that would be provided upon encryption and decryption by the implementation.
> 
> Is there a particular reason for the two-octet length? Can we not simply append the context to what we have now? Not that it would cost much to add a length, just checking if there's some security reason.

Thank you for the question! There is no security reason, you can just append the variable-length context parameter to the AD without a length field, and that is in fact what the prototype implementation that I did for the paper does.

There is just one caveat. If you ever want to add more to the AD, and there is no length field, you have to bump the version number of the v2 SEIPD packet to get separation.

For signing things might be different, as there the document data is already taking up the slot for „variable length data without length field“, so a length field might be needed there (for example, if the context parameter is part of the trailer, an attacker may be able to influence the context parameter to spoof a second trailer that is then valid for a modified document that consists of the original document plus the proper trailer).

Thanks,
Marcus

—
Dipl.-Math. Marcus Brinkmann

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum

Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann