Re: [openpgp] Padding packets
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 21 June 2022 23:03 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD7D5C14CF0D for <openpgp@ietfa.amsl.com>; Tue, 21 Jun 2022 16:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=874/zdHC; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=zdEbH2d7
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7Q9TeQ6dyNH for <openpgp@ietfa.amsl.com>; Tue, 21 Jun 2022 16:03:00 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1047BC14CF08 for <openpgp@ietf.org>; Tue, 21 Jun 2022 16:02:59 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1655852577; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=5B5rgNnSEPl2wqh32/c1fjjl+nPgCDc+VizBSotImTQ=; b=874/zdHCyhIAwloPCbXfJ+TQgk6CsdBD0M3N6FZcg+p6zp9LJyCwe2/mCoB+znN7TQAT9 StWtyIlS30uZjrqDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1655852577; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=5B5rgNnSEPl2wqh32/c1fjjl+nPgCDc+VizBSotImTQ=; b=zdEbH2d7wS00avWnLoQFxvzWuZCQxoKrbfLeOIlV+YO3IcyMXYDdDIqTO1JHXML7MAqOa Ka1y/Qu4RjTgTwo55sAvJXAY3NIRlMM+9N7WYAOgisZ0JC7xGgKK2VA+ubtaW3bJXtletBM TFY+LPB68b+NM21LyHQakvuPerHu43NV9itNyY0fWY7fenX5wPPyX89/qP/j4rf7NDbJwQJ pgNahi3ge4vJATItnCnZM8BtElQYItM+qk2MvHzVXwmHCp1tK5Vcysn+936lRrljLLSfE+y uER86ZjcHzgqsKPA+CZoXc1bhJ0dxblyDMv+kFRLgUWjbAsHHqYVxc2jhs3A==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id EDB1BF9AE for <openpgp@ietf.org>; Tue, 21 Jun 2022 19:02:56 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 1355720439; Tue, 21 Jun 2022 19:02:54 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <uD26D3k2l-7O9su7otzxmVOfZSOGK4FGCoSr1YRUuRhp7vUpaSDCv1qrI7ieaWz5SEz9APsTob-AUtTP-VQ07AECoLtVlbc9m8pHtQZLz9I=@protonmail.com>
References: <87wndi88ri.fsf@wheatstone.g10code.de> <83cce07c67f67c19b06c0c4239b6f335512a9a6f.camel@16bits.net> <o17TAfJTeOZkYp5X-XwNQwnTrCaiKEGnn1ZAL1qLB5CTGKntjwv6dpCIah44pAdH8nHXa4ivte_MMtqXuKP3uhobW5kJk9E6rAEWneD11yA=@protonmail.com> <87czf36uwi.fsf@fifthhorseman.net> <uD26D3k2l-7O9su7otzxmVOfZSOGK4FGCoSr1YRUuRhp7vUpaSDCv1qrI7ieaWz5SEz9APsTob-AUtTP-VQ07AECoLtVlbc9m8pHtQZLz9I=@protonmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 21 Jun 2022 19:02:53 -0400
Message-ID: <87zgi562n6.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/pkNZ21f_FHAUcueZg69aMb5hWYo>
Subject: Re: [openpgp] Padding packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2022 23:03:04 -0000
On Tue 2022-06-21 10:02:14 +0000, Daniel Huigens wrote: > To be perfectly honest, I think the protection against compression is > somewhat dubious, in general. If I pad a message and *then* compress, > there may still be length differences due to differences in the > message, so the protection the padding is meant to offer is reduced, > or even removed. You're right that the metadata fields in OpenPGP packets are themselves fairly low-entropy, so the protection a padding packet can provide against compression isn't going to be bulletproof. But requiring a fixed high-entropy string when under compression adds an additional risk: it makes it possible for an adversary that is capable of injecting data somewhere in the non-padding sequence to test whether a padding packet is present, by injecting some part of the mandated byte sequence (this is similar to how the CRIME attack against HTTP works). So the fixed-string approach weakens further the defense against accidental content leakage based on compression. > So - personally, I would also not be entirely opposed to setting the > padding to all zeros, and saying that if length protection is desired, > compression must not be used. In an encrypted message, the OpenPGP > implementation obviously has control over this itself; and in the case > of WKD the server also has control over this. IIRC, the padding packet was initially proposed as containing all-zeros, as a way to avoid adding yet another side channel; the DT changed it to high-entropy data specifically because of concerns about compression. As we make this decision collectively, we should also remember that compression can take place outside the OpenPGP layer (e.g. if the OpenPGP packet stream is being sent over a web server, it might do on-the-fly gzip compression). If we recommend that the packet contain all-zeros as proof of no-covert-channel, i *still* don't think it's advisable to require implementations to reject the entire packet sequence if any non-zero data is found in a padding packet. At most i'd say that some implementations may want to warn the user that there may be hidden data (but see [*] below). The two places that padding is currently recommended for an OpenPGP packet sequence that want to obscure message length are: a) encrypted messages (the last packet in the packet stream inside an unwrapped SEIPDv2 packet) b) at the end of an OpenPGP certificate (which is presumably sent over encrypted channels, like WKD) In either of these contexts, any message generator that wants to embed arbitrary data can do so. At least the following channels are possible: (A) Inside the SEIPDv2-wrapped packet stream, the message generator can prefix the desired packet stream with a Signature packet, marked with a pubkey algorithm in the experimental range. The content of this packet can contain anything. It should be ignored by the recipient, as any signature from an unknown algorithm will be ignored by any consumer. (B) In an OpenPGP certificate, the message generator could stuff arbitrary non-critical subpackets marked with experimental subpacket types (or, notations, with a novel notation name) into the unhashed region of any and all certifications in the certificate, including the self-sigs. Non-critical subpackets of unknown type, in the unhashed region, will be ignored by any consumer. (A.2) in the event that the SEIPDv2-wrapped packet stream already contains a signature packet, the generator can also stuff arbitrary data into the signature's unhashed subpacket area as well, without adding an explicit additional packet. (see also the rejected https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/112/diffs for even more possible existing mechanisms) So the padding packet doesn't open a *new* covert channel, regardless of how it is specified. [*] Any implementation that thinks it would be important to warn the user about a high-entropy covert channel in the padding packet's contents (let alone to reject a high-entropy covert channel in padding) should *also* already be warning the user about potential covert channels in the above types of data. I'm unaware of any existing implementation that warns the user, let alone rejects a packet stream on these grounds. So, why have a padding packet at all if these other mechanisms are available? Simplicity, clarity, and robustness. By formalizing a place to do padding, implementers don't have to invent the options described above, or come up with some other crazy scheme. It's also easier to do than subpacket injection (appending a packet rather inserting, which would requires packet header manipulation). And by allowing padding within the OpenPGP layer, the message can be padded even if it is being transported over a mechanism that doesn't have another way to do padding. Making its content unpredictable and high-entropy is a way to reduce (but not completely eliminate) the risk of some external compression layer accidentally defeating the purpose. Having an explicit padding packet will hopefully encourage implementers and deployers to consider metadata leakage, which is increasingly important as we move to a majority-encrypted network. --dkg
- [openpgp] Padding packets Werner Koch
- Re: [openpgp] Padding packets Paul Schaub
- Re: [openpgp] Padding packets Ángel
- Re: [openpgp] Padding packets brian m. carlson
- Re: [openpgp] Padding packets Werner Koch
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Neal H. Walfield
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Kahn Gillmor
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Kahn Gillmor
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Huigens
- Re: [openpgp] Padding packets Daniel Kahn Gillmor
- Re: [openpgp] Padding packets Stephen Farrell
- Re: [openpgp] Padding packets Daniel Kahn Gillmor
- Re: [openpgp] Padding packets Stephen Farrell