Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
Daniel Huigens <d.huigens@protonmail.com> Fri, 19 August 2022 11:28 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0B6C14CF0A for <openpgp@ietfa.amsl.com>; Fri, 19 Aug 2022 04:28:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mvYo6NgE9AR for <openpgp@ietfa.amsl.com>; Fri, 19 Aug 2022 04:27:59 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8DE9C14F75F for <openpgp@ietf.org>; Fri, 19 Aug 2022 04:27:59 -0700 (PDT)
Date: Fri, 19 Aug 2022 11:27:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1660908476; x=1661167676; bh=ZVjv6Uryl/S4gvuDiztfcnh8wSX3iorLoBSaUHb5Evc=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=wiQn456yiXBi5WiQbMU8Cme5EudcxtOG0YfgznhC0k8BKBZGGe/jFhqWa2gI+n9t+ XrIaQvmL8R5KF4XrOKDRajOqrREGQzxsRa4GcNeuCOesLIWe8xOfRyMqpcyKCFT6Fq vNIB6weyCtb5vC0fDZdzO0pweVtsup3lZrKH+rAYqdELVnRyvReSBuw8oCTYRV+q6L 03cEtUkvDZEd2KX4apeq6WoLGqeaU8E1QMYfnE3/1AnQEUuycfvP/ExS0v9b3GICui XRnR34K3y5XKg8/LYWiJVDzdblLzN2XR+8Ss6J/VjWdEbwmq7PSUoEhFMN8FZgFBiP 8ZEdz5mcgimCw==
To: Marcus Brinkmann <marcus.brinkmann@rub.de>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <i6P0E3xBS_J4u4AFSVcRSWr3NFYghskkodZsfxM82rpjIvoHwbMcDaHGO0DJ7LhNRen6XprDItHKS8wzJYUdET1kJk6rwGtyLK2EwycqkFg=@protonmail.com>
In-Reply-To: <0846A2FB-E47F-41BB-BE40-0F4C8014D0FB@rub.de>
References: <TTJa-QE7jZWshZLtu4wDR8N6DRYsKWd1S6cV-ze8q9DVO8wzAm5T4fpIEXNsoEU2Psq2oG9HWnH_0bfbzBFVvk2ROMwPNXwlinPnnKw57pM=@protonmail.com> <53ECC178-1B3D-40AE-A684-6469BEBB1426@rub.de> <foDBX2xUSvUd4BeEwZNyqSpI7BySuweSXZD7QFww4_sGWbCRdrwR_uqaQef5POcChWtRYAAYMs9_FB1uTvwTGRhqN9mOYsmfADPoWYv5PQw=@protonmail.com> <0846A2FB-E47F-41BB-BE40-0F4C8014D0FB@rub.de>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_0mWi4CW4NfDHVzJrXzPxTVLTebYbOyf9xTKPJZ0Jcg"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/tzC1QG4NBwrU_5VYVFbjow8estc>
Subject: Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 11:28:04 -0000
Hi Marcus, I see, thanks! Yeah, the HKDF already has the packet version number in it, which I assume we'd need to bump if we wanted to add more stuff in the AD. So I think there it shouldn't be an issue, but indeed for signatures it might be needed. For the record, some signing algorithms already have a `context` parameter, notably Ed448 which we added to the crypto refresh (and use with an empty context now). In theory, we could use that (and Ed25519ctx) - but for the other algorithms it would be less obvious how to add the context in that case, so I guess it would be easier / simpler to just hash (a length and) the context before the message contents in all cases. Best, Daniel ------- Original Message ------- On Thursday, August 18th, 2022 at 22:47, Marcus Brinkmann <marcus.brinkmann@rub.de> wrote: > Hi Daniel, > >> Am 18.08.2022 um 20:47 schrieb Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>: >> >>> Here I would suggest to add a variable length field to the AD of every chunk with a two-octet length followed by raw context parameter that would be provided upon encryption and decryption by the implementation. >> >> Is there a particular reason for the two-octet length? Can we not simply append the context to what we have now? Not that it would cost much to add a length, just checking if there's some security reason. > > Thank you for the question! There is no security reason, you can just append the variable-length context parameter to the AD without a length field, and that is in fact what the prototype implementation that I did for the paper does. > > There is just one caveat. If you ever want to add more to the AD, and there is no length field, you have to bump the version number of the v2 SEIPD packet to get separation. > > For signing things might be different, as there the document data is already taking up the slot for „variable length data without length field“, so a length field might be needed there (for example, if the context parameter is part of the trailer, an attacker may be able to influence the context parameter to spoof a second trailer that is then valid for a modified document that consists of the original document plus the proper trailer). > > Thanks, > Marcus > > — > Dipl.-Math. Marcus Brinkmann > > Lehrstuhl für Netz- und Datensicherheit > Ruhr Universität Bochum > Universitätsstr. 150, Geb. ID 2/461 > D-44780 Bochum > > Telefon: +49 (0) 234 / 32-25030 > http://www.nds.rub.de/chair/people/mbrinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Ángel
- Re: [openpgp] Encryption and signature context pa… Daniel Kahn Gillmor
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Kahn Gillmor
- Re: [openpgp] Encryption and signature context pa… Michael Richardson
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann