Re: [openpgp] Padding packets
Daniel Huigens <d.huigens@protonmail.com> Fri, 17 June 2022 13:19 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D519C14CF01 for <openpgp@ietfa.amsl.com>; Fri, 17 Jun 2022 06:19:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMwtcMou7km2 for <openpgp@ietfa.amsl.com>; Fri, 17 Jun 2022 06:19:45 -0700 (PDT)
Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch [185.70.40.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43250C14F75F for <openpgp@ietf.org>; Fri, 17 Jun 2022 06:19:45 -0700 (PDT)
Date: Fri, 17 Jun 2022 13:19:37 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1655471983; x=1655731183; bh=duRzclXEUcpMH6ZfsV7FWQTVATrZ8XwzlwXgfmWylP8=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=tzgfBMtZt6CxNe+BSN6ARY7Cl4AD2GYOO7qbSAEX2OuxcZbl/YhnCx/zwuY8jQsY5 i7knAabSRxmklTArfTYmFq0hF24WQup2KoHmSJRH8oG0r77CzUwyWucEDKThpykcoA IwTvii107R8koagRKHK9EHa98CZ5DHVVjxz2P3A72VGzP7kkBVw4YY5ECunkhwKCaD 8UStn2cLuHY0zAnYTKmnVwBNHawy27qrpHhM3+090HNUfrUpWnn7UFjWrIeb1DRVQO MZt6uOT/r2+HQxZGeUmtHZA8OnUDEn35KYbmaF1O3hQ7Xu34LGVCQ03CXLWyKA6EzB 2kuBrYMAJrneQ==
To: "Neal H. Walfield" <neal@walfield.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: Ángel <angel@16bits.net>, openpgp@ietf.org, "brian m. carlson" <sandals@crustytoothpaste.net>
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <3R01BgeAsIJWAL_DdKQ6fQxJFK_m6Klj9aKJ1COVNvmk0AC_jlizEOjvOH1UwlIIj9ul387szZDi9R5ojN0dlF-v3gK__DtdRCuaDvOv8zs=@protonmail.com>
In-Reply-To: <87k09fh2ga.wl-neal@walfield.org>
References: <87wndi88ri.fsf@wheatstone.g10code.de> <83cce07c67f67c19b06c0c4239b6f335512a9a6f.camel@16bits.net> <o17TAfJTeOZkYp5X-XwNQwnTrCaiKEGnn1ZAL1qLB5CTGKntjwv6dpCIah44pAdH8nHXa4ivte_MMtqXuKP3uhobW5kJk9E6rAEWneD11yA=@protonmail.com> <87k09fh2ga.wl-neal@walfield.org>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/iS0EENyd98XAnXWzHnplBAReY9E>
Subject: Re: [openpgp] Padding packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2022 13:19:50 -0000
Hi Neal, > One issue I see with this type of deterministic padding is that if a > message or archive contains multiple padding packets, then it will be > compressible. That will not be the case if we bind the padding to the > preceding packet. As currently specified, I think a message can't contain multiple padding packets; and in a message archive, the padding packets will be inside the encrypted data packet, so they should still be incompressible. However, I could see in the case of a keyring (e.g. returning multiple keys from WKD), it might be useful to have a padding packet in each key, though we could also argue that the server should just append only one padding packet at the very end. If we do care about multiple padding packets, maybe rather than binding it to the previous packet, providing a random key would be sufficient? For example, we could specify that the packet contains 16 random bytes, followed by a AES-CTR encryption using that key. (I'm not a fan of having to hash the preceding packet, because when stream-decrypting, you don't know in advance if there will be a padding packet, and the preceding packet in that case could be the literal data packet which is potentially very large.) Best, Daniel
- [openpgp] Padding packets Werner Koch
- Re: [openpgp] Padding packets Paul Schaub
- Re: [openpgp] Padding packets Ángel
- Re: [openpgp] Padding packets brian m. carlson
- Re: [openpgp] Padding packets Werner Koch
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Neal H. Walfield
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Kahn Gillmor
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Kahn Gillmor
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Kahn Gillmor
- Re: [openpgp] Padding packets Stephen Farrell
- Re: [openpgp] Padding packets Daniel Kahn Gillmor
- Re: [openpgp] Padding packets Stephen Farrell