IETF Logo Mail Archive

[openpgp] saltpack on OpenPGP message format problems

ianG <iang@iang.org> Wed, 10 February 2016 09:29 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE901A03A9 for <openpgp@ietfa.amsl.com>; Wed, 10 Feb 2016 01:29:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.093
X-Spam-Level: **
X-Spam-Status: No, score=2.093 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DC_PNG_UNO_LARGO=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_10_20=0.093, TO_NO_BRKTS_HTML_IMG=1.999] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOnudd1EMR8g for <openpgp@ietfa.amsl.com>; Wed, 10 Feb 2016 01:29:48 -0800 (PST)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 608401A03A5 for <openpgp@ietf.org>; Wed, 10 Feb 2016 01:29:47 -0800 (PST)
Received: from tormenta.local (iang.org [209.197.106.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id 6748D6D72C; Wed, 10 Feb 2016 04:29:45 -0500 (EST)
To: openpgp@ietf.org
From: ianG <iang@iang.org>
Message-ID: <56BB0308.8020504@iang.org>
Date: Wed, 10 Feb 2016 09:29:44 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------080102060003030905070508"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/rZafrdjbJNRMhYQ-JoxyaZ4r12I>
Subject: [openpgp] saltpack on OpenPGP message format problems
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 09:29:50 -0000

(we should probably fix these one day)

https://saltpack.org/pgp-message-format-problems

We know from re-implementing PGP's message format (RFC 4880 
<https://tools.ietf.org/html/rfc4880>) ourselves (here 
<https://keybase.io/kbpgp>), it has a lot of issues. Some make life 
difficult for implementers, but others are problems for end users too:


        1. PGP encryption doesn't authenticate the sender.

There's no way to verify who a PGP message is from unless it's signed. 
That means that as a sender, you can't authenticate yourself without 
giving up repudiability. Partly because of this, authentication is off 
by default.

In contrast, NaCl encryption authenticates the sender in a repudiable 
way. That makes it easy for us to enable authentication by default. It 
also means that we don't need special support for a "signed and 
encrypted" mode, because very few applications actually want that.


        2. GnuPG will output data that doesn't verify.

If you run|gpg --decrypt|on a corrupt message, it will print the 
plaintext to stdout, and you'll only find out if the message is bad at 
the/end/, after you've streamed out/unsigned data/. Try it on this 
message signed byJack's key <https://keybase.io/oconnor663/key.asc>:

|-----BEGIN PGP MESSAGE----- Version: GnuPG v2 
kA0DAAIBcYdraK1ILTIBy5liAFaqa7BKb2huIEphY29iIEppbmdsZWhlaW1lciBT 
Y2htaWR0LApIaXMgbmFtZSBpcyBteSBuYW1lIHRvby4KV2hlbmV2ZXIgd2UgZ28g 
b3V0LApUaGUgcGVvcGxlIGFsd2F5cyBzaG91dCwKVGhlcmUgZ29lcyBBIE1BTiBJ 
TiBUSEUgTUlERExFIE9IIFNISUlJMTF0IQqJARwEAAECAAYFAlaqa7AACgkQcYdr 
aK1ILTK6Ewf9GIIzBmtGuNeJXUGAoDbG5mmVDyMwpu3i72OwOfoSo+4GI6mT/FuV 
PKh7HCKwglmTuO2oazg0sUnoktjmHxdNQuJZ+6ii/5xXb80XEHFECFDClrjwbkeE 
+3irJDrpnmuQzRyJVOYh+fr7dxrlN7pgMdjlkbAgWnATZ+k1zf8z40p8SANNpXHt 
9yie6nuzKUd1LUujPa4sz6BfNW0Clcp3c0XFeU2je//4TcZ+4/Ql2B1/MdzqF4+G 
TPh+B1L8k9F9TNgyh9lXyez90oRLEvw3+3o9+CvMvQb6Gb8aR+eW/rE+wabdiwSY 
qfLaI0VHvwNCa1NV/5MmX6UKUzNV2c4vcAo= =uIW7 -----END PGP MESSAGE----- |


        3. Anonymous recipients aren't fully anonymous.

Even with the|--hidden-recipient|flag, RSA encryptionleaks some 
information about the recipient's key 
<http://security.stackexchange.com/a/22705/36852>.


        4. PGP ASCII armor isn't friendly to modern apps and phones.


One of many manglings

Almost all apps, email clients, chat clients, and web pages do 
post-processing on the text people post. PGP's whitespace pattern, use 
of hyphens and slashes, and header lines are not friendly. You shouldn't 
have to edit a message by hand before passing it off to your crypto program.


        5. Lack of Constraints Can Be Dangerous

PGP's strategy of composable, nested streams is a headache to implement 
and allows attackers to craft messages thatexplode memory usage 
<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4402>. There 
are workarounds, but the underlying problem is that the spec gives 
message crafters too much flexibility.

v2.23.0 | Report a Bug | By Email