IETF Logo Mail Archive

Re: [openpgp] Padding packets

"brian m. carlson" <sandals@crustytoothpaste.net> Thu, 16 June 2022 00:34 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B45CFC14CF1A for <openpgp@ietfa.amsl.com>; Wed, 15 Jun 2022 17:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXbEDSiNM5tm for <openpgp@ietfa.amsl.com>; Wed, 15 Jun 2022 17:34:40 -0700 (PDT)
Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [172.105.110.227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17BB0C14F744 for <openpgp@ietf.org>; Wed, 15 Jun 2022 17:34:39 -0700 (PDT)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:a6ae:7d13:8741:9028]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id A4A405A1E3 for <openpgp@ietf.org>; Thu, 16 Jun 2022 00:34:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1655339678; bh=QPAvqrkhS0zaA/i73hzu370tPpX3b3GVBsWNDqZOvtQ=; h=Date:From:To:Subject:References:Content-Type:Content-Disposition: In-Reply-To:From:Reply-To:Subject:Date:To:CC:Resent-Date: Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=lQaZbsfzr5vAyvlq9lE83BOmqGVkpkmgk/tCxII3p/PMi9ft33npkQ+A8MoB8IYW1 8NL1TTXtt1V2JrFWGRB1gvaCBsq0srNotFLLiojMZeBjG73dXHyTtW9koz8PpZUrWE t+1L5RzT5T0UAaen3beR2goYG2QQZN5b4B7X85GtTRdBT8EAmKS9G3jWyKD/JlmJqn x2cfKv200cpsXjF3Dsn0zq/Ly9GNcYcJM1eZmQWeVnPxefVXv57gsXIjmkuuvlkivk 9VImNDdi49LX5kmXhp2jpm0X5eSiQhpRUUpQX0PRg1mdR9WeI5a0AijSHy9Vgw0yLk KVS0o0mbhuHyz651n3D+r6bhogBQ0SixFE09/IIRg8g8MXyTGfqwtkcOgnih5Xv5Lv aT79aEkJP7uWJzGZP7uBvpXHvgHVSZb6364IwvHHHizHhr5Ut3Okc5H5IqGKHdqMpw P8N5MvPOg0Btqv7+dzZDmmIjKqc+yBu6Ab27FOj/nviCEvZdkNf
Date: Thu, 16 Jun 2022 00:34:36 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <Yqp6nF+D7+f41IUC@camp.crustytoothpaste.net>
References: <87wndi88ri.fsf@wheatstone.g10code.de> <83cce07c67f67c19b06c0c4239b6f335512a9a6f.camel@16bits.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="hvXYebzhZrIL2A4+"
Content-Disposition: inline
In-Reply-To: <83cce07c67f67c19b06c0c4239b6f335512a9a6f.camel@16bits.net>
User-Agent: Mutt/2.2.4 (2022-04-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/uHBIH6VWpleTOzKHkUKE0WeTXoc>
Subject: Re: [openpgp] Padding packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 00:34:44 -0000

On 2022-06-15 at 23:43:00, Ángel wrote:
> On 2022-06-15 at 13:29 +0200, Werner Koch wrote:
> > Hi!
> > 
> > The idea of a padding packet is in general a good idea and has been
> > discussed many times:
> > 
> >    5.14.  Padding Packet (Tag 21)
> > 
> >    The Padding packet contains random data, and can be used to defend
> >    against traffic analysis (see Section 14.10) on version 2 SEIPD
> >    [...]
> >    Its contents SHOULD be random octets to make the length obfuscation
> >    it provides more robust even when compressed.
> > 
> > The problem with random padding packets is that this opens a high
> > capacity channel with all its problems.
> 
> I agree. I think this was noted in the past, as well.

I agree that this seems undesirable here.

> However, we don't need this to be random, it can be deterministic yet
> incompressible.
> Take a symmetric-key algorithm, use it in counter mode with the hash of
> the previous packet as key (or IV). That will produce an output which
> should not be compressible. Yet, it produces a deterministic padding
> that can be verified by the receiving application.

If we didn't have to deal with compression, I'd simply say we could fix
it at all zeros.  Since we do, maybe we want to just make it a fixed
value, say, the output of SHA-256 on an increasing 8-byte big-endian
counter starting at 0.  That provides practically infinite padding, is
always a fixed value (which can be verified), and, because SHA-256 is
believed to be indistinguishable from random, practically
uncompressible.

Since this packet would already have been verified by the AEAD, the
implementation doesn't have to provide complex constant-time padding
verification, which is a hassle and a source of bugs.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

v2.23.0 | Report a Bug | By Email