IETF Logo Mail Archive

Re: [openpgp] Padding packets

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 21 June 2022 23:03 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD7D5C14CF0D for <openpgp@ietfa.amsl.com>; Tue, 21 Jun 2022 16:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=874/zdHC; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=zdEbH2d7
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7Q9TeQ6dyNH for <openpgp@ietfa.amsl.com>; Tue, 21 Jun 2022 16:03:00 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1047BC14CF08 for <openpgp@ietf.org>; Tue, 21 Jun 2022 16:02:59 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1655852577; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=5B5rgNnSEPl2wqh32/c1fjjl+nPgCDc+VizBSotImTQ=; b=874/zdHCyhIAwloPCbXfJ+TQgk6CsdBD0M3N6FZcg+p6zp9LJyCwe2/mCoB+znN7TQAT9 StWtyIlS30uZjrqDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1655852577; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=5B5rgNnSEPl2wqh32/c1fjjl+nPgCDc+VizBSotImTQ=; b=zdEbH2d7wS00avWnLoQFxvzWuZCQxoKrbfLeOIlV+YO3IcyMXYDdDIqTO1JHXML7MAqOa Ka1y/Qu4RjTgTwo55sAvJXAY3NIRlMM+9N7WYAOgisZ0JC7xGgKK2VA+ubtaW3bJXtletBM TFY+LPB68b+NM21LyHQakvuPerHu43NV9itNyY0fWY7fenX5wPPyX89/qP/j4rf7NDbJwQJ pgNahi3ge4vJATItnCnZM8BtElQYItM+qk2MvHzVXwmHCp1tK5Vcysn+936lRrljLLSfE+y uER86ZjcHzgqsKPA+CZoXc1bhJ0dxblyDMv+kFRLgUWjbAsHHqYVxc2jhs3A==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id EDB1BF9AE for <openpgp@ietf.org>; Tue, 21 Jun 2022 19:02:56 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 1355720439; Tue, 21 Jun 2022 19:02:54 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <uD26D3k2l-7O9su7otzxmVOfZSOGK4FGCoSr1YRUuRhp7vUpaSDCv1qrI7ieaWz5SEz9APsTob-AUtTP-VQ07AECoLtVlbc9m8pHtQZLz9I=@protonmail.com>
References: <87wndi88ri.fsf@wheatstone.g10code.de> <83cce07c67f67c19b06c0c4239b6f335512a9a6f.camel@16bits.net> <o17TAfJTeOZkYp5X-XwNQwnTrCaiKEGnn1ZAL1qLB5CTGKntjwv6dpCIah44pAdH8nHXa4ivte_MMtqXuKP3uhobW5kJk9E6rAEWneD11yA=@protonmail.com> <87czf36uwi.fsf@fifthhorseman.net> <uD26D3k2l-7O9su7otzxmVOfZSOGK4FGCoSr1YRUuRhp7vUpaSDCv1qrI7ieaWz5SEz9APsTob-AUtTP-VQ07AECoLtVlbc9m8pHtQZLz9I=@protonmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 21 Jun 2022 19:02:53 -0400
Message-ID: <87zgi562n6.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/pkNZ21f_FHAUcueZg69aMb5hWYo>
Subject: Re: [openpgp] Padding packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2022 23:03:04 -0000

On Tue 2022-06-21 10:02:14 +0000, Daniel Huigens wrote:
> To be perfectly honest, I think the protection against compression is
> somewhat dubious, in general. If I pad a message and *then* compress,
> there may still be length differences due to differences in the
> message, so the protection the padding is meant to offer is reduced,
> or even removed.

You're right that the metadata fields in OpenPGP packets are themselves
fairly low-entropy, so the protection a padding packet can provide
against compression isn't going to be bulletproof.

But requiring a fixed high-entropy string when under compression adds an
additional risk: it makes it possible for an adversary that is capable
of injecting data somewhere in the non-padding sequence to test whether
a padding packet is present, by injecting some part of the mandated byte
sequence (this is similar to how the CRIME attack against HTTP works).
So the fixed-string approach weakens further the defense against
accidental content leakage based on compression.

> So - personally, I would also not be entirely opposed to setting the
> padding to all zeros, and saying that if length protection is desired,
> compression must not be used. In an encrypted message, the OpenPGP
> implementation obviously has control over this itself; and in the case
> of WKD the server also has control over this.

IIRC, the padding packet was initially proposed as containing all-zeros,
as a way to avoid adding yet another side channel; the DT changed it to
high-entropy data specifically because of concerns about compression.

As we make this decision collectively, we should also remember that
compression can take place outside the OpenPGP layer (e.g. if the
OpenPGP packet stream is being sent over a web server, it might do
on-the-fly gzip compression).

If we recommend that the packet contain all-zeros as proof of
no-covert-channel, i *still* don't think it's advisable to require
implementations to reject the entire packet sequence if any non-zero
data is found in a padding packet.  At most i'd say that some
implementations may want to warn the user that there may be hidden
data (but see [*] below).

The two places that padding is currently recommended for an OpenPGP
packet sequence that want to obscure message length are:

 a) encrypted messages (the last packet in the packet stream inside an
    unwrapped SEIPDv2 packet)

 b) at the end of an OpenPGP certificate (which is presumably sent over
    encrypted channels, like WKD)

In either of these contexts, any message generator that wants to embed
arbitrary data can do so.  At least the following channels are possible:

 (A) Inside the SEIPDv2-wrapped packet stream, the message generator can
     prefix the desired packet stream with a Signature packet, marked
     with a pubkey algorithm in the experimental range.  The content of
     this packet can contain anything.  It should be ignored by the
     recipient, as any signature from an unknown algorithm will be
     ignored by any consumer.

 (B) In an OpenPGP certificate, the message generator could stuff
     arbitrary non-critical subpackets marked with experimental
     subpacket types (or, notations, with a novel notation name) into
     the unhashed region of any and all certifications in the
     certificate, including the self-sigs.  Non-critical subpackets of
     unknown type, in the unhashed region, will be ignored by any
     consumer.

 (A.2) in the event that the SEIPDv2-wrapped packet stream already
       contains a signature packet, the generator can also stuff
       arbitrary data into the signature's unhashed subpacket area as
       well, without adding an explicit additional packet.

(see also the rejected
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/112/diffs for
even more possible existing mechanisms)

So the padding packet doesn't open a *new* covert channel, regardless of
how it is specified.

[*] Any implementation that thinks it would be important to warn the
    user about a high-entropy covert channel in the padding packet's
    contents (let alone to reject a high-entropy covert channel in
    padding) should *also* already be warning the user about potential
    covert channels in the above types of data.  I'm unaware of any
    existing implementation that warns the user, let alone rejects a
    packet stream on these grounds.

So, why have a padding packet at all if these other mechanisms are
available?  Simplicity, clarity, and robustness.

By formalizing a place to do padding, implementers don't have to invent
the options described above, or come up with some other crazy scheme.
It's also easier to do than subpacket injection (appending a packet
rather inserting, which would requires packet header manipulation).  And
by allowing padding within the OpenPGP layer, the message can be padded
even if it is being transported over a mechanism that doesn't have
another way to do padding.  Making its content unpredictable and
high-entropy is a way to reduce (but not completely eliminate) the risk
of some external compression layer accidentally defeating the purpose.

Having an explicit padding packet will hopefully encourage implementers
and deployers to consider metadata leakage, which is increasingly
important as we move to a majority-encrypted network.

          --dkg

v2.23.0 | Report a Bug | By Email