IETF Logo Mail Archive

Re: [openpgp] Padding packets

Daniel Huigens <d.huigens@protonmail.com> Fri, 17 June 2022 13:19 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D519C14CF01 for <openpgp@ietfa.amsl.com>; Fri, 17 Jun 2022 06:19:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMwtcMou7km2 for <openpgp@ietfa.amsl.com>; Fri, 17 Jun 2022 06:19:45 -0700 (PDT)
Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch [185.70.40.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43250C14F75F for <openpgp@ietf.org>; Fri, 17 Jun 2022 06:19:45 -0700 (PDT)
Date: Fri, 17 Jun 2022 13:19:37 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1655471983; x=1655731183; bh=duRzclXEUcpMH6ZfsV7FWQTVATrZ8XwzlwXgfmWylP8=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=tzgfBMtZt6CxNe+BSN6ARY7Cl4AD2GYOO7qbSAEX2OuxcZbl/YhnCx/zwuY8jQsY5 i7knAabSRxmklTArfTYmFq0hF24WQup2KoHmSJRH8oG0r77CzUwyWucEDKThpykcoA IwTvii107R8koagRKHK9EHa98CZ5DHVVjxz2P3A72VGzP7kkBVw4YY5ECunkhwKCaD 8UStn2cLuHY0zAnYTKmnVwBNHawy27qrpHhM3+090HNUfrUpWnn7UFjWrIeb1DRVQO MZt6uOT/r2+HQxZGeUmtHZA8OnUDEn35KYbmaF1O3hQ7Xu34LGVCQ03CXLWyKA6EzB 2kuBrYMAJrneQ==
To: "Neal H. Walfield" <neal@walfield.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: Ángel <angel@16bits.net>, openpgp@ietf.org, "brian m. carlson" <sandals@crustytoothpaste.net>
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <3R01BgeAsIJWAL_DdKQ6fQxJFK_m6Klj9aKJ1COVNvmk0AC_jlizEOjvOH1UwlIIj9ul387szZDi9R5ojN0dlF-v3gK__DtdRCuaDvOv8zs=@protonmail.com>
In-Reply-To: <87k09fh2ga.wl-neal@walfield.org>
References: <87wndi88ri.fsf@wheatstone.g10code.de> <83cce07c67f67c19b06c0c4239b6f335512a9a6f.camel@16bits.net> <o17TAfJTeOZkYp5X-XwNQwnTrCaiKEGnn1ZAL1qLB5CTGKntjwv6dpCIah44pAdH8nHXa4ivte_MMtqXuKP3uhobW5kJk9E6rAEWneD11yA=@protonmail.com> <87k09fh2ga.wl-neal@walfield.org>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/iS0EENyd98XAnXWzHnplBAReY9E>
Subject: Re: [openpgp] Padding packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2022 13:19:50 -0000

Hi Neal,

> One issue I see with this type of deterministic padding is that if a
> message or archive contains multiple padding packets, then it will be
> compressible. That will not be the case if we bind the padding to the
> preceding packet.

As currently specified, I think a message can't contain multiple padding
packets; and in a message archive, the padding packets will be inside
the encrypted data packet, so they should still be incompressible.
However, I could see in the case of a keyring (e.g. returning multiple
keys from WKD), it might be useful to have a padding packet in each key,
though we could also argue that the server should just append only one
padding packet at the very end.

If we do care about multiple padding packets, maybe rather than binding
it to the previous packet, providing a random key would be sufficient?
For example, we could specify that the packet contains 16 random bytes,
followed by a AES-CTR encryption using that key.

(I'm not a fan of having to hash the preceding packet, because when
stream-decrypting, you don't know in advance if there will be a padding
packet, and the preceding packet in that case could be the literal data
packet which is potentially very large.)

Best,
Daniel

v2.23.0 | Report a Bug | By Email