IETF Logo Mail Archive

[openpgp] New encryption formats for messaging

David Leon Gil <coruus@gmail.com> Sat, 14 March 2015 00:41 UTC

Return-Path: <coruus@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E791A90A4 for <openpgp@ietfa.amsl.com>; Fri, 13 Mar 2015 17:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_IHmqWW53Dp for <openpgp@ietfa.amsl.com>; Fri, 13 Mar 2015 17:41:41 -0700 (PDT)
Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8F161A9062 for <openpgp@ietf.org>; Fri, 13 Mar 2015 17:41:39 -0700 (PDT)
Received: by ykek76 with SMTP id k76so249540yke.0 for <openpgp@ietf.org>; Fri, 13 Mar 2015 17:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=XPyj+i4WPwkxetUI5DLOM8IEv+L/Vmb/w3bJNuHV7Pc=; b=tRPELeUXEKdL2Cbu87yufhdkyHw1eFCTWCSk6Y60O1LuJovDJrSDTAoShEy5GgpiTW w5JVdyaBXOcTcsiNFbQvgFXaPpsTHMz6Z3fzF53jw/CNESYbgIKbDP1AYw9Mwx6Rbz0r mjAsV2ZrYtHy/eRWs027dVuNnlyqQ01gqDXxzVJfgoLPEjnr9Hs4Wuq5qzhuhhre8qZ+ l2ahVNlQHKndYiqLgEBbbq2J6Vba+W3qEt8TRPQvvJPXrQ6PQYsTHC4Xpu3TPafrG37h n9TNFm9OOERUkacUp3uWGIzN/OVK8/saKI5DYxCBEPZ/CG4Raoo+fLPX86vw0u3OcVSI X/4g==
X-Received: by 10.236.105.210 with SMTP id k58mr49131941yhg.52.1426293699190; Fri, 13 Mar 2015 17:41:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.170.125.80 with HTTP; Fri, 13 Mar 2015 17:41:18 -0700 (PDT)
From: David Leon Gil <coruus@gmail.com>
Date: Fri, 13 Mar 2015 17:41:18 -0700
Message-ID: <CAA7UWsUz65C0GAQo8Yf7ZOeT9BYy+NLV5pbbPg+Ok0-72ca1eA@mail.gmail.com>
To: "openpgp@ietf.org" <openpgp@ietf.org>, "dgil@yahoo-inc.com" <dgil@yahoo-inc.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/jEKLj7vLFwrezkYMijTBwtW29ec>
Subject: [openpgp] New encryption formats for messaging
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2015 00:41:42 -0000

Some desiderata, generally:

A0. Be as secure as possible by default. Do not offer options to
fallback to doing unsafe things. "Experienced" users often think they
want them; there are usually better solutions for their use-cases.

A1. Only specify a single asymmetric encryption scheme and a single
asymmetric signature scheme. This is critical: This is the second most
dangerous and buggy code in any crypto scheme.

A2. Clearly separate handling of various message and key metadata from
the underlying encryption scheme. This is critical: Parsing code is
the most dangerous and buggy code in any crypto scheme.

A3. Do not specify things which are infeasible to thoroughly test.
This implies avoiding combinatorial complexity, which the OpenPGPv4
spec doesn't.

A4. All messages, including signed but unencrypted messages, should be
indistinguishable from random to an adversary who does not know the
public key of the signer. (This is, essentially, a Tor-style security
requirement.)

Some desiderata for symmetric primitive choices:

B1. Only modern hash functions that provide a significant security
margin against cryptanalysis. Let's not repeat the MD-5/SHA-1
disaster. (We only need two hash functions at most.)

B2. Only block and stream ciphers that offer a significant margin of
safety against cryptanalysis. (Or that, when composed, offer a
significant margin of safety against cryptanalysis.)

B3.. A single AEAD mode that is maximally misuse-resistant, in the
sense of https://eprint.iacr.org/2014/793. (But probably not AEZ, or
any other CAESAR competitor for that matter. I would prefer a scheme
that uses generic composition of well-studied primitives.)

Thus, what any proposal should specify, at the crypto level:

C1. A single curve providing security above the 192-bit-equivalent
level. (This is because the *tightest* security reductions for any
concrete instantiation of EC primitives result in a security level of
~ 120-bits for a 384-bit curve.)

C2. A single message format intended for use with signed and encrypted
messages of length >> 128 bytes and << 2^24 bytes. (That is, something
appropriate for email. I would consider encryption of large files and
very short messages out of scope at this time.) I am agnostic as to
whether encrypted-then-signed or signed-then-encrypted is preferable.
I am curious if anyone else has strong views on this?

C3. A single message format intended for detached signatures. This
should target, specifically, the common use-case of OpenPGP signatures
for code-signing.

C4. Specify a mechanism for encapsulating a signature over the body of
an HTML email in a way that is compatible with HTML email as commonly
used. This signature should be indifferentiable from random for anyone
who does not know the public key of the sender.

(This last should be easy. A concrete proposal: If a
"data-openpgp-sig" attribute is present on a tag, it contains a
base64urlsafe-encoded signature over the contents of that tag, with no
special normalization rules applied. This can be made more precise by
reference to the HTML5 spec.)

And what a proposal should specify, for various key and message metadata:

D1. A standard format for encapsulating arbitrary key and message metadata.

D2. Mappings from OpenPGPv3 metadata to that format, as appropriate.

--

Final comment:

I am, quite frankly, agnostic as to whether an IETF WG or another
forum is the most appropriate place to specify something.

The IETF lately has not seemed to be so much about canonizing "de
facto" standards (which it was good at) as design-by-committee (which
it isn't). And recent revelations have shown that design-by-committee
is -- besides being irritating for implementors -- a boon to
intelligence agencies.

So: I would encourage anyone interested in seeing something
standardized to make a complete proposal a la Hugo Krawycz's OP-TLS
proposal for TLS1.3. But implement the proposal first. Working code
&c.

Taking a scattershot approach will lead to a shoddy, messy, unsafe
result. Yahoo will not support a specification that, by sloppiness or
untestability, makes our users unsafe.

David Leon Gil
Senior Paranoid
Yahoo!

v2.23.0 | Report a Bug | By Email