Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
Daniel Huigens <d.huigens@protonmail.com> Wed, 17 August 2022 14:15 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA854C1522AB for <openpgp@ietfa.amsl.com>; Wed, 17 Aug 2022 07:15:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.24
X-Spam-Level:
X-Spam-Status: No, score=-0.24 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_FAKE_RF_SHORT=1.866, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ib_yOt-VZs6W for <openpgp@ietfa.amsl.com>; Wed, 17 Aug 2022 07:15:43 -0700 (PDT)
Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A1A2C14F74E for <openpgp@ietf.org>; Wed, 17 Aug 2022 07:15:43 -0700 (PDT)
Date: Wed, 17 Aug 2022 14:15:33 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1660745740; x=1661004940; bh=RMXEnTSzZgyiSGxvvy1U9VLi4IDR6bNcBrXDK98Zy4U=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:Feedback-ID:From:To: Cc:Date:Subject:Reply-To:Feedback-ID:Message-ID; b=HUGe4xCHgorwtZGR9vXhNPjjySHju6Y+HXRgBeON4hXdQI44BuIEEgee9acO77FfX OAqbcLAM0zses6JxScUipBDECBF/trR12Vcmv1mH41M/ZAyzpvw25zifPcs3r+Tyt0 o8OO4y73CUCAceNoG5s/MUdFTj3s9uGe5PXqKoDDmtJ1ryuc76hUOHKUfh2dp+xJHx EFXvgKSFfhTyoa2pu80UJBOZCoMCNarpOMcHcOySwpZmn/zXyEGnjbrRTEVxrlp5Lz AhbmkHvL5DWltHChIGl3nS+8U1z9bl+kLVNy/Uy6qaJUS8xHTaLZLa/XpYWbPD3Xnz SZX71J4nCAB6A==
To: Marcus Brinkmann <marcus.brinkmann=40rub.de@dmarc.ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <TTJa-QE7jZWshZLtu4wDR8N6DRYsKWd1S6cV-ze8q9DVO8wzAm5T4fpIEXNsoEU2Psq2oG9HWnH_0bfbzBFVvk2ROMwPNXwlinPnnKw57pM=@protonmail.com>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/sTn6rUeY2FBIkZo6Yn-xnLHYLC4>
Subject: Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 14:15:47 -0000
Hi Marcus, Thanks for your message and research, and apologies for the delay, it took me a while to look at it. On the one hand, I personally think that supporting multiple encrypted parts, or mixing encrypted and unencrypted parts, and replacing an encrypted MIME part with an unencrypted part in-place, is fraught, and in ProtonMail we don't support it. Nevertheless, I know it's something that is done, and some users expect it. On the other hand, I agree that having some binding between the encryption and the email context would be valuable. In an ideal world, we would all be using PGP/MIME with protected headers, but as you point out, PGP/MIME can also be downgraded to PGP/Inline, so that might not even be sufficient. So, I agree it could be valuable to add something like this, though it's a bit last minute. But we could indeed do so for SEIPDv2 without breaking stuff. However, to do so we would need to define somewhere what the AD should be, for example in a spec about PGP/MIME, and perhaps also for PGP/Inline, etc. As a slightly orthogonal point, there have also been security issues with signatures being reused in different contexts. The Intended Recipient Fingerprint subpacket fixes one of those, but not all. I think it would be valuable to have a `context` parameter in OpenPGP that is used for both signatures and encryption, and then the higher-level spec or application using OpenPGP can define how the context should be computed. That might also address some of the concerns in your other message about email signature spoofing, perhaps. If there is interest in this, I can make some MRs proposing changes to that effect. Best, Daniel ------- Original Message ------- On Monday, August 8th, 2022 at 21:19, Marcus Brinkmann wrote: > > Am 02.08.2022 um 18:59 schrieb Bruce Walzer bwalzer@59.ca: > > > AEAD isn't even a very accurate term in an OpenPGP context. There is > > no AD (associated data) exposed to the user of such a system. It just > > doesn't work that way. > > > It would be very useful to expose AD in OpenPGP to users to prevent exfiltration attacks in the context of email. See our research at [1]. > > Thanks, > Marcus > > [1] Jörg Schwenk, Marcus Brinkmann, Damian Poddebniak, Jens Müller, Juraj Somorovsky, and Sebastian Schinzel. 2020. Mitigation of Attacks on Email End-to-End Encryption. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, New York, NY, USA, 1647–1664. https://doi.org/10.1145/3372297.3417878 > > Preprint available here: https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/12/06/schwenk2020.pdf > > — > Dipl.-Math. Marcus Brinkmann > > Lehrstuhl für Netz- und Datensicherheit > Ruhr Universität Bochum > Universitätsstr. 150, Geb. ID 2/461 > D-44780 Bochum > > Telefon: +49 (0) 234 / 32-25030 > http://www.nds.rub.de/chair/people/mbrinkmann > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Ángel
- Re: [openpgp] Encryption and signature context pa… Daniel Kahn Gillmor
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Kahn Gillmor
- Re: [openpgp] Encryption and signature context pa… Michael Richardson
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann