Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 12 October 2022 07:14 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1799C14CF03 for <openpgp@ietfa.amsl.com>; Wed, 12 Oct 2022 00:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.314
X-Spam-Level:
X-Spam-Status: No, score=-1.314 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=XTxM4KOl; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=3mNF3S3u
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvoz3mUI2sRc for <openpgp@ietfa.amsl.com>; Wed, 12 Oct 2022 00:14:51 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EFD6C14F72A for <openpgp@ietf.org>; Wed, 12 Oct 2022 00:14:50 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1665558890; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=tbRRbXU1XtIJ8TiTobAQK7r5O3fzAF2L05FVZAeYGZM=; b=XTxM4KOloole/lPaKY3qv3kSP+8ODL/20BxuhCsQBVxv0xZQPWRiZYvR8FF0lCKR40O2b oFvk8j6AX8CHePvCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1665558890; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=tbRRbXU1XtIJ8TiTobAQK7r5O3fzAF2L05FVZAeYGZM=; b=3mNF3S3uxkCk0Vm5lux7j24LpppPdVJEJjG6ejMXLZtJdzGcByYS6hkZABRXlfcmopS1t rky5BQJmdH9E/1mBdc8cVvEo8CQdEz1XVuQER6NZ/pl0YCHrCeUMSh7kw+pgPir+2Tkzk7T UJWqUOA+O6mbhxUD2F93KGP+aZaiTNQI76H6JxuCspq/EKp3VOH+srnm8UpHnsrVBDPYaP5 QojfVHQVFXCIu6T0aIWRQzeIWJ6rIeEJa4amzNOJ9xE0OM63+w209FxL4oxgh6U3e7Iq6qb PGJMxGU+fjrLtiQ36bM8dBddnt8XK0IvSwe6Or1QSuhvnmqfKh8Fw1dI75bQ==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 70923F9B2; Wed, 12 Oct 2022 03:14:49 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 819AE215A0; Wed, 12 Oct 2022 03:05:48 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Daniel Huigens <d.huigens@protonmail.com>, Marcus Brinkmann <marcus.brinkmann@rub.de>
Cc: openpgp@ietf.org
In-Reply-To: <i6P0E3xBS_J4u4AFSVcRSWr3NFYghskkodZsfxM82rpjIvoHwbMcDaHGO0DJ7LhNRen6XprDItHKS8wzJYUdET1kJk6rwGtyLK2EwycqkFg=@protonmail.com>
References: <TTJa-QE7jZWshZLtu4wDR8N6DRYsKWd1S6cV-ze8q9DVO8wzAm5T4fpIEXNsoEU2Psq2oG9HWnH_0bfbzBFVvk2ROMwPNXwlinPnnKw57pM=@protonmail.com> <53ECC178-1B3D-40AE-A684-6469BEBB1426@rub.de> <foDBX2xUSvUd4BeEwZNyqSpI7BySuweSXZD7QFww4_sGWbCRdrwR_uqaQef5POcChWtRYAAYMs9_FB1uTvwTGRhqN9mOYsmfADPoWYv5PQw=@protonmail.com> <0846A2FB-E47F-41BB-BE40-0F4C8014D0FB@rub.de> <i6P0E3xBS_J4u4AFSVcRSWr3NFYghskkodZsfxM82rpjIvoHwbMcDaHGO0DJ7LhNRen6XprDItHKS8wzJYUdET1kJk6rwGtyLK2EwycqkFg=@protonmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Wed, 12 Oct 2022 03:05:47 -0400
Message-ID: <87k0555xo4.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/yUfY8pwJtOo19oQKICnBx_TsCZs>
Subject: Re: [openpgp] Encryption and signature context parameter (Was: OpenPGP encryption block modes)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2022 07:14:55 -0000
I've been puzzling over this question about encryption and signature context parameters, while looking at Daniel's notes in the issue tracker and proposed merge request: https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/145 https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/214 I'm sympathetic to the idea of these context strings, but i'm also pretty wary about adding mechanism that i don't think we understand. The notes in this message are in my personal capacity, not as co-chair. If someone on this list feels they have solid answers to the questions i'm raising here, i could maybe be convinced. but i'm leaning toward thinking this change is not worth doing to the spec. We have other ways to accomplish some similar (but not quite as protective) things that would be less disruptive than this change. I have five main lines of questioning here: - both encryption and signatures? - should the context travel with the OpenPGP object? - how should an application select the context? - what would deployment actually look like? - what would an API look like for this? # Both Encryption and Signatures? It's very tempting and elegant feeling to try to apply these sorts of ideas across both primitives, but often they are subtly different. Are we sure that this is important for boh signatures and encryption? For example: for signatures, there can be an attack on the signer (making them try to sign something in a strange context) or an attack on the verifier (trying to make them accept a signature with the wrong context). iiuc, an example attack on a signature might be trying to make an e-mail message be evaluated as a software signature, or vice versa. And for encryption, there is an attack on the encryptor (making them encrypt something in an unusual context), and an attack on the decryptor (making them decrypt something somewhere where they shouldn't be). An example attack might be sending someone one of their encrypted backup files as an e-mail message and hoping that they will reply to it, effectively including the contents of the backup in the encrypted reply. These are subtly different things, and i think i'm convinced that they're both things that *could* be mitigated if every OpenPGP deployment was judicious about the choice of context string, but i'd welcome other thoughts. # Should the context travel with the OpenPGP material? As Marcus says, having the context travel literally and explicitly with the packet offers the enticement for consuming implementers to "cheat" -- and just pass the context string discovered with the object without confirming that it is actually the right context. Of course, right now, *no* implementation confirms that it is the right context (because there is no such context mechanism) so this isn't worse than the status quo. But is it any better than the status quo to have the context shipped with the OpenPGP material? - for signing, it appears that it's still useful because the signer is obliged to choose a context for her signature, probably not under the influence of the attacker. However, as long as the attacker can get the signer to sign arbitrary content in a specific *situation* where the desired bad context is used, there is still an attack possible. Or, if the attacker is capable of asking the signer for a signature over arbitrary content, who is to say that the attacker couldn't also ask the signer to provide an explicit context string as well? From the verifier's perspective, the verifier needs to know a specific context (and confirm it against the provided context). but if they do that, then they could also just as well know of a specific arbitrary extension that they require to be present on all signatures in that context. The only difference here is that the context string is *before* the message being signed, but a notation shows up *after* the message being signed. So shipping the context with the signature feels like a lot of new mechanism that could be accomplished in a way that's already defined, and doesn't provide much of a win. - for encryption, it might appear to be useful because the decryptor can say "i'm only going to decrypt things that have context X" and refuse to decrypt if the context doesn't match. But we already know that it's very hard to convince an implementation to *not* decrypt for the user when it might be able to figure out how to decrypt (e.g. see all the discussion and heartache around decrypting the known-bad SED packets). Having a required context string for successful decryption is an expansion of the opportunities for an OpenPGP object to be un-decryptable, which is a very frustrating failure mode for the user. So if the context is shipped with the object, the temptation to cheat is *very* great. So i'm left with the sense that if we want the security gains from this that aren't otherwise already available (e.g. with Intended Recipients, or with notations), the context should *not* travel with the object, but rather needs to be explicitly defined by both the producer and consumer of the object. # How should an application select the context? For this to be useful, an application needs to be able to identify the context that it will use. But what is the context? i mean, it's a bytestring, but what kind of scope should the context have? !214 uses "Message from Alice to Bob" as a context string. But why that level of detail? Why include both Alice's name and Bob's name? If we're including Alice and Bob's names, why not include the Date and Message-Id as well? If the context string needs to be known a priori and *not* travel with the message, then we should just use something like "e-mail message" -- if we want to ensure that e-mail headers are cryptographically protected, that's a distinct project [0]. [0] https://datatracker.ietf.org/doc/draft-ietf-lamps-header-protection/ But how are implementers supposed to know what to choose? do we need a registry? Do we need guidance? does "software package" make sense? or should it be "tarball" or ".deb" or ".rpm"? What about "Debian" vs. "Ubuntu"? Should acceptable encryption context strings be advertised in the OpenPGP certificate of the recipient? These are a ton of open questions that this mechanism brings up, and i don't know how to resolve them. # What would deployment look like? Would this be something that works for the deployed base, or would it be something that is only useful for greenfield implementations? Is there a phase-in plan? For example, can we imagine an OpenPGP-capable MUA that one day says "i will not decrypt any message that does not use the 'encrypted e-mail' context string, and i will not validate any signature that doesn't have the 'signed e-mail' context string" ? or would it realistically just continue to accept things that have the null context? if it does both, does it need to do repeated trial decryption and trial signature verification? Could we tie such a requirement to the version of the OpenPGP object? For example, a MUA that permits decryption of v1 SEIPD without a context, but it tries to decrypt v2 SEIPD, it will *only* do so with an 'encrypted e-mail' context? or, when it verifies a v4 signature, it ignores the context, but it will only verify a v5 signature under context 'signed e-mail'. Does this seem plausible? If we take this latter route, then some of the gains *only* come when at least some of the parties involved have fully stopped producing or consuming the older formats. And, it appears to raise the bar for adopting the newer formats in contexts where the older formats are already deployed. It's not just a matter of upgrading the cryptographic stack, but now the deployment needs to know its expected context. # What would the API look like for this? i know we don't have a common API for OpenPGP other than SOP [1], but what would an API that includes these contexts actually look like? how would it behave? If you have a preferred API to consider, how would you imagine extending it to support these contexts? [1] https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/ Are we talking about a new argument for packet generation (when generating signatures and SEIPD), which would be ignored if the version of the generated object doesn't support it? or would it be an error if a caller asks for a context for an object that can't use the right version? What about packet consumption? If i get a signature verification based on my provided context, does that mean that the context was really used? What about if i'm decrypting a message? ------ In summary, i think this mechanism is intriguing, and i see the real concerns it is trying to address. But i'm not convinced this is the right (or plausible) thing to do logistically. I also think we have some mechanisms that can approximate some of the advantages already (signature subpackets, notations) for implementations that want to be a bit stricter (equivalent of having the context travel with the objects). And i think taking it all the way (where it doesn't travel with the object) raises a whole bunch of questions, like: - how does an application knows what its necessary context is? - how the ecosystem coordinate and scope the domains that the mechanism intends to separate? What if one MUA thinks that the appropriate scope for encryption is the mail-addr of the primary inbox address, but another MUA thinks it should just be the literal "e-mail encryption". Who gets to decide? How will they interoperate? - how can we avoid this additional wrinkle becoming an obstacle to deployment in places where we want to roll out the new versions? If there's an OpenPGP library, what else does the application have to do when initializing the library, rather than just upgrading to the new version? - if we can't answer these questions, how do we avoid this becoming yet another way that OpenPGP implementations might fail to interoperate? There are a lot of moving parts in OpenPGP, many of which are simply not implemented, but seemed like good ideas at the time. How do we keep this from being one of those? So I'm pessimistic about this, but I'm willing to be convinced otherwise. Regards, --dkg
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Ángel
- Re: [openpgp] Encryption and signature context pa… Daniel Kahn Gillmor
- Re: [openpgp] Encryption and signature context pa… Daniel Huigens
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann
- Re: [openpgp] Encryption and signature context pa… Daniel Kahn Gillmor
- Re: [openpgp] Encryption and signature context pa… Michael Richardson
- Re: [openpgp] Encryption and signature context pa… Marcus Brinkmann