IETF Logo Mail Archive

Re: [openpgp] Replacing the OpenPGP Encryption Mode is Harmful and Pointless

Daniel Huigens <d.huigens@protonmail.com> Fri, 15 July 2022 12:16 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC1DC14F75F for <openpgp@ietfa.amsl.com>; Fri, 15 Jul 2022 05:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kffdQ3LKmoN7 for <openpgp@ietfa.amsl.com>; Fri, 15 Jul 2022 05:15:59 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F0D2C14F736 for <openpgp@ietf.org>; Fri, 15 Jul 2022 05:15:59 -0700 (PDT)
Date: Fri, 15 Jul 2022 12:15:51 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1657887356; x=1658146556; bh=uKXH0QVjDbf3F3LcDZe8/Bv7S883MWUp8KShU+RwOVE=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=v24vWWp7zHsBihU0LB8yZK15Wmzwjz8RAPBDf3UyiSS0KU2C+u/PGfafkTR6NNAGF yKHO9UIzA30Fj1oagY1wk4TwUnaDBAh6k/fzCVgGjPCwlpdUDSubVyrJH5pEkVNoGa DmaITUeHtBaAzQSxBQ8BVwK/wH4Q9UcagvuAEfUOftNkzqEsH3wAiGKIOyuA6z2JHc ay5Lau8ANHsnQ3SPB4kYos/uHx3Y8mdjqeY2uFxysX+X8+km23u1npu2n7guETIUJV aVURxWjziSYq9lhTkaF041rqWffipKnC0seMQo2EQTttzpsicUzrsjTHIwEKsAcR8h gDIAf/F9IJ8sg==
To: Bruce Walzer <bwalzer@59.ca>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <8z4hYvgxLiNrfVMLCTfxUFCm6MVzugdNOvjPdvn4qoRF76lESafW0nqnQthrtCGbGK3ire9lqAmrJetJHHCYJiHhxXXgkCWKB5zmPc6Ax-g=@protonmail.com>
In-Reply-To: <YtFLcfKMEC/vRXY+@watt.59.ca>
References: <YtFLcfKMEC/vRXY+@watt.59.ca>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/wHpy4Yp4ljkLpVdYtQ6J17uk-aw>
Subject: Re: [openpgp] Replacing the OpenPGP Encryption Mode is Harmful and Pointless
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2022 12:16:03 -0000

Hi,

I won't attempt to address the entire article but I want to bring up
some points:

> The email client application code receives this error instead of the
> decrypted message. Now what? What do we tell the user?

It's a good question, but I think it's important to note that the goal
of security checks, in general, is to prevent an attack, and so
actually the hope is that the error *won't* be shown. If the check is
there, there's no reason to do the attack, and thus the error should
only show up if there's some bug, which should be caught quickly thanks
to the check. So I think that errors being bad UX is not a sufficient
argument not to have the check (you also have to somehow argue why the
errors would show up at all).

Then, if you (somewhat) agree with that, I want to bring up a practical
advantage of the new scheme: it breaks up messages into chunks, which
can be checked and released to the application individually, instead of
having to wait for the MDC at the end of the message.

> The user already knows about email signatures, so why not try an
> approach based on, you know, authenticity?

EFAIL is an attack against confidentiality, not just authenticity.
That's why it should be fixed at the encryption layer, imo. You might
also not have the public key of the sender, and requiring that just to
be able to safely decrypt the message would make things much worse.
(Additionally, if you wanted to break up the message into chunks, as we
do with AEAD, and sign each chunk, that would become very expensive.)

Then, you might still ask, why use AEAD instead of OCFB-MDC.
A proper AEAD scheme integrates confidentiality and integrity, which
makes providing both more efficient and more secure. If you want proof
of that, you should ask a cryptographer instead of me, but a security
proof is typically included with the paper of any good AEAD scheme. A
security proof for OCFB-MDC doesn't exist, as far as I know, and it's
doubtful whether it's possible to provide one, which in itself should
be worrying, even if nobody has been able to come up with a practical
attack (so far).

Best,
Daniel


------- Original Message -------
On Friday, July 15th, 2022 at 13:11, Bruce Walzer <bwalzer@59.ca> wrote:

> The article in question:
>
> * https://articles.59.ca/doku.php?id=pgpfan:no_new_ae
>
> This editorial fell out of a series of OpenPGP advocacy articles I wrote. The position:
>
> * The current OpenPGP encryption mode is secure and appropriate and
> should not be replaced.
>
> * The OpenPGP standard should not suggest or attempt to mandate that
> data that is suspected of malicious modification should be withheld
> from any entity. It is better to complete the operation and then
> provide the status.
>
> I realize that this is not at all a mainstream position to take. I am
> only posting this here in case it gains any traction. I don't want to
> blindside anyone.
>
> Bruce
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email