Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)

Daniel Huigens <d.huigens@protonmail.com> Wed, 17 August 2022 14:15 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA854C1522AB for <openpgp@ietfa.amsl.com>; Wed, 17 Aug 2022 07:15:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.24
X-Spam-Level:
X-Spam-Status: No, score=-0.24 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_FAKE_RF_SHORT=1.866, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ib_yOt-VZs6W for <openpgp@ietfa.amsl.com>; Wed, 17 Aug 2022 07:15:43 -0700 (PDT)
Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A1A2C14F74E for <openpgp@ietf.org>; Wed, 17 Aug 2022 07:15:43 -0700 (PDT)
Date: Wed, 17 Aug 2022 14:15:33 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1660745740; x=1661004940; bh=RMXEnTSzZgyiSGxvvy1U9VLi4IDR6bNcBrXDK98Zy4U=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:Feedback-ID:From:To: Cc:Date:Subject:Reply-To:Feedback-ID:Message-ID; b=HUGe4xCHgorwtZGR9vXhNPjjySHju6Y+HXRgBeON4hXdQI44BuIEEgee9acO77FfX OAqbcLAM0zses6JxScUipBDECBF/trR12Vcmv1mH41M/ZAyzpvw25zifPcs3r+Tyt0 o8OO4y73CUCAceNoG5s/MUdFTj3s9uGe5PXqKoDDmtJ1ryuc76hUOHKUfh2dp+xJHx EFXvgKSFfhTyoa2pu80UJBOZCoMCNarpOMcHcOySwpZmn/zXyEGnjbrRTEVxrlp5Lz AhbmkHvL5DWltHChIGl3nS+8U1z9bl+kLVNy/Uy6qaJUS8xHTaLZLa/XpYWbPD3Xnz SZX71J4nCAB6A==
To: Marcus Brinkmann <marcus.brinkmann=40rub.de@dmarc.ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <TTJa-QE7jZWshZLtu4wDR8N6DRYsKWd1S6cV-ze8q9DVO8wzAm5T4fpIEXNsoEU2Psq2oG9HWnH_0bfbzBFVvk2ROMwPNXwlinPnnKw57pM=@protonmail.com>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/sTn6rUeY2FBIkZo6Yn-xnLHYLC4>
Subject: Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 14:15:47 -0000

Hi Marcus,

Thanks for your message and research, and apologies for the delay, it
took me a while to look at it.

On the one hand, I personally think that supporting multiple encrypted
parts, or mixing encrypted and unencrypted parts, and replacing an
encrypted MIME part with an unencrypted part in-place, is fraught, and
in ProtonMail we don't support it. Nevertheless, I know it's something
that is done, and some users expect it.

On the other hand, I agree that having some binding between the
encryption and the email context would be valuable. In an ideal world,
we would all be using PGP/MIME with protected headers, but as you point
out, PGP/MIME can also be downgraded to PGP/Inline, so that might not
even be sufficient.

So, I agree it could be valuable to add something like this, though
it's a bit last minute. But we could indeed do so for SEIPDv2 without
breaking stuff. However, to do so we would need to define somewhere
what the AD should be, for example in a spec about PGP/MIME, and
perhaps also for PGP/Inline, etc.

As a slightly orthogonal point, there have also been security issues
with signatures being reused in different contexts. The Intended
Recipient Fingerprint subpacket fixes one of those, but not all.
I think it would be valuable to have a `context` parameter in OpenPGP
that is used for both signatures and encryption, and then the
higher-level spec or application using OpenPGP can define how the
context should be computed. That might also address some of the
concerns in your other message about email signature spoofing,
perhaps.

If there is interest in this, I can make some MRs proposing changes to
that effect.

Best,
Daniel


------- Original Message -------
On Monday, August 8th, 2022 at 21:19, Marcus Brinkmann wrote:

> > Am 02.08.2022 um 18:59 schrieb Bruce Walzer bwalzer@59.ca:
> 
> > AEAD isn't even a very accurate term in an OpenPGP context. There is
> > no AD (associated data) exposed to the user of such a system. It just
> > doesn't work that way.
> 
> 
> It would be very useful to expose AD in OpenPGP to users to prevent exfiltration attacks in the context of email. See our research at [1].
> 
> Thanks,
> Marcus
> 
> [1] Jörg Schwenk, Marcus Brinkmann, Damian Poddebniak, Jens Müller, Juraj Somorovsky, and Sebastian Schinzel. 2020. Mitigation of Attacks on Email End-to-End Encryption. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, New York, NY, USA, 1647–1664. https://doi.org/10.1145/3372297.3417878
> 
> Preprint available here: https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/12/06/schwenk2020.pdf
> 
> —
> Dipl.-Math. Marcus Brinkmann
> 
> Lehrstuhl für Netz- und Datensicherheit
> Ruhr Universität Bochum
> Universitätsstr. 150, Geb. ID 2/461
> D-44780 Bochum
> 
> Telefon: +49 (0) 234 / 32-25030
> http://www.nds.rub.de/chair/people/mbrinkmann
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp