Re: [openpgp] Replacing the OpenPGP Encryption Mode is Harmful and Pointless
Daniel Huigens <d.huigens@protonmail.com> Fri, 15 July 2022 12:16 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC1DC14F75F for <openpgp@ietfa.amsl.com>; Fri, 15 Jul 2022 05:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kffdQ3LKmoN7 for <openpgp@ietfa.amsl.com>; Fri, 15 Jul 2022 05:15:59 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F0D2C14F736 for <openpgp@ietf.org>; Fri, 15 Jul 2022 05:15:59 -0700 (PDT)
Date: Fri, 15 Jul 2022 12:15:51 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1657887356; x=1658146556; bh=uKXH0QVjDbf3F3LcDZe8/Bv7S883MWUp8KShU+RwOVE=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=v24vWWp7zHsBihU0LB8yZK15Wmzwjz8RAPBDf3UyiSS0KU2C+u/PGfafkTR6NNAGF yKHO9UIzA30Fj1oagY1wk4TwUnaDBAh6k/fzCVgGjPCwlpdUDSubVyrJH5pEkVNoGa DmaITUeHtBaAzQSxBQ8BVwK/wH4Q9UcagvuAEfUOftNkzqEsH3wAiGKIOyuA6z2JHc ay5Lau8ANHsnQ3SPB4kYos/uHx3Y8mdjqeY2uFxysX+X8+km23u1npu2n7guETIUJV aVURxWjziSYq9lhTkaF041rqWffipKnC0seMQo2EQTttzpsicUzrsjTHIwEKsAcR8h gDIAf/F9IJ8sg==
To: Bruce Walzer <bwalzer@59.ca>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <8z4hYvgxLiNrfVMLCTfxUFCm6MVzugdNOvjPdvn4qoRF76lESafW0nqnQthrtCGbGK3ire9lqAmrJetJHHCYJiHhxXXgkCWKB5zmPc6Ax-g=@protonmail.com>
In-Reply-To: <YtFLcfKMEC/vRXY+@watt.59.ca>
References: <YtFLcfKMEC/vRXY+@watt.59.ca>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/wHpy4Yp4ljkLpVdYtQ6J17uk-aw>
Subject: Re: [openpgp] Replacing the OpenPGP Encryption Mode is Harmful and Pointless
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2022 12:16:03 -0000
Hi, I won't attempt to address the entire article but I want to bring up some points: > The email client application code receives this error instead of the > decrypted message. Now what? What do we tell the user? It's a good question, but I think it's important to note that the goal of security checks, in general, is to prevent an attack, and so actually the hope is that the error *won't* be shown. If the check is there, there's no reason to do the attack, and thus the error should only show up if there's some bug, which should be caught quickly thanks to the check. So I think that errors being bad UX is not a sufficient argument not to have the check (you also have to somehow argue why the errors would show up at all). Then, if you (somewhat) agree with that, I want to bring up a practical advantage of the new scheme: it breaks up messages into chunks, which can be checked and released to the application individually, instead of having to wait for the MDC at the end of the message. > The user already knows about email signatures, so why not try an > approach based on, you know, authenticity? EFAIL is an attack against confidentiality, not just authenticity. That's why it should be fixed at the encryption layer, imo. You might also not have the public key of the sender, and requiring that just to be able to safely decrypt the message would make things much worse. (Additionally, if you wanted to break up the message into chunks, as we do with AEAD, and sign each chunk, that would become very expensive.) Then, you might still ask, why use AEAD instead of OCFB-MDC. A proper AEAD scheme integrates confidentiality and integrity, which makes providing both more efficient and more secure. If you want proof of that, you should ask a cryptographer instead of me, but a security proof is typically included with the paper of any good AEAD scheme. A security proof for OCFB-MDC doesn't exist, as far as I know, and it's doubtful whether it's possible to provide one, which in itself should be worrying, even if nobody has been able to come up with a practical attack (so far). Best, Daniel ------- Original Message ------- On Friday, July 15th, 2022 at 13:11, Bruce Walzer <bwalzer@59.ca> wrote: > The article in question: > > * https://articles.59.ca/doku.php?id=pgpfan:no_new_ae > > This editorial fell out of a series of OpenPGP advocacy articles I wrote. The position: > > * The current OpenPGP encryption mode is secure and appropriate and > should not be replaced. > > * The OpenPGP standard should not suggest or attempt to mandate that > data that is suspected of malicious modification should be withheld > from any entity. It is better to complete the operation and then > provide the status. > > I realize that this is not at all a mainstream position to take. I am > only posting this here in case it gains any traction. I don't want to > blindside anyone. > > Bruce > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp
- [openpgp] Replacing the OpenPGP Encryption Mode i… Bruce Walzer
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Daniel Huigens
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Bruce Walzer
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Daniel Huigens
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Wyllys Ingersoll
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Paul Schaub
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Bruce Walzer
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Daniel Huigens