Re: [lamps] More mail madness?

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 14 May 2018 17:04 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BB1712E892; Mon, 14 May 2018 10:04:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s23du-3lI66B; Mon, 14 May 2018 10:03:57 -0700 (PDT)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 525221201F8; Mon, 14 May 2018 10:03:57 -0700 (PDT)
Received: by mail-oi0-x230.google.com with SMTP id 11-v6so11339253ois.8; Mon, 14 May 2018 10:03:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=MMqTky4iy6USAaWGfsR34yk/PlHfoXq/Vtj1OdaPX4c=; b=ec+YvR36KNKrf/oe4q+yd5CC6tBOHaSGhIcrP2NSC+R2TODJ5x15DUm2CNP9qErrsj 6p+a+r4eTnnZ2eyF2hwHLCmdOeyvjlrdMEkE6I2FW7MRRcHkMO9eHZC0fjb9paU6FBmD OLE/yl8OoCv+WX2BHphPzkHFZibQio7ubDTc0+bu+r85WEH3RW/GxbNDv7NLoEfal0Df weoMwkFOEJinvNWYIrqsXO/LKIT071/3CTFqQZBhJvPFlSVWfF2F56Iu5LsBCASGSJVo n+hFX6+jaCDgTBteVrshme3ZvzbTsNMfOn64cZh+gcz8Fvz3v0WGbcxCO5Jtf5QV3+Po GruQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=MMqTky4iy6USAaWGfsR34yk/PlHfoXq/Vtj1OdaPX4c=; b=HRLprS3b/10YjQZOmy1VN6LhlGKTaMdd/6ANdiWGU7+socUELrgv2+Ux1xI7JvvD1W EsNuF2ldgURB37wBt+0Ra8XQlaMDTsHs37LXqsufcL9wKq8ygRjA86s+dUda7+5jijNu SBdxmj/khyUGG5Q89F1irdW22G23iBKnDAeaVgStrEl+CXrP4cYqHII1Jq/GLaxh/jGl 60SfoZn6VorJOCBqlbnV9zgB2otyT7hxU44RZT72jTVV1RP4k5W+tSibx5OvKGJ3VAQh MWGWiesgMi4pm0LMSEQZja6lrNtm6BE4rJoaQsQexDsCFS8nyJIyPHpkJeH/tNaJ1fcO oxog==
X-Gm-Message-State: ALKqPwfCyJ8Hqy5uAm+kHMDUunQdbmgjhJ6LmD5eQhYlJx8rA6Asbor3 AUP5DyAiKfUepPOKNGHTqBR5BiNNxVM7hx0XZyw=
X-Google-Smtp-Source: AB8JxZouqUW5e/LM56EUvsyzMRoIkbe8CQA4eXnopDQQcJmeEA6L7gZZ4O1iJ177fjbwlyJx+168Cadt0+yz8LhQFJc=
X-Received: by 2002:aca:6257:: with SMTP id w84-v6mr7580830oib.26.1526317436589; Mon, 14 May 2018 10:03:56 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 2002:a9d:23:0:0:0:0:0 with HTTP; Mon, 14 May 2018 10:03:56 -0700 (PDT)
In-Reply-To: <CAL02cgQGew0=5s-ipyJSD=kp8+uK5juYFYUdepWeDFjf6raqsw@mail.gmail.com>
References: <CAMm+LwiOfdptL6u=SyCtQnz7xKrJD6HTDkKs+JGeHf54CSiv8A@mail.gmail.com> <B0CE44DF-DC7C-4411-B1CC-30B87E38D3F6@vigilsec.com> <51B631EC-78B3-4FF4-A82C-725A029F3DB3@nohats.ca> <C8E07D79-DFC5-4DA5-981B-26AA91A04D09@vigilsec.com> <CAL02cgQGew0=5s-ipyJSD=kp8+uK5juYFYUdepWeDFjf6raqsw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 14 May 2018 13:03:56 -0400
X-Google-Sender-Auth: p_rLkffhtR7ogknL9uSEiJWLbb0
Message-ID: <CAMm+LwhSGPHvt0E5JRU-S273Ve8wohjHJ7-giMLytNq3F_BWFQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Russ Housley <housley@vigilsec.com>, Paul Wouters <paul@nohats.ca>, SPASM <spasm@ietf.org>, IETF <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009f5de8056c2d7882"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/0DiYjkzEj4jWLCnu7OFwACwzkaA>
Subject: Re: [lamps] More mail madness?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2018 17:04:00 -0000

Here is the approach I use for encryption which guards against the IV
attack. It might seem a little over the top but the objective here is to
minimize the number of code paths rather than the length of the code path.

The reason I started on this approach was I was looking for a secure way to
encrypt chat room logs etc. without having to do a key exchange per
message. In the process, I realized that the same approach works remarkably
well in S/MIME like applications where we may have multiple multiparts that
we want to encrypt under one key exchange, we may want to encrypt subject
lines and we may want to encrypt signatures over the plaintext.


1) Generate fresh session key of at least 256 bits which has the property
of being infeasible to guess (note that unguessability is a stronger
requirement than merely being random).

2) Perform a key exchange for each recipient.

2a) If it is a DH or EDH key exchange, use the key exchange result as the
IKM for a KeyDerivation function with info tag "master". Then use the
resulting key to perform an AES Key Wrap of the session key.

3) Create the Enhanced Data Sequences.

For each EDC we create a salt value which needs to be unique within the
context of this particular exchange.

We then use HKDF to derive the encryption (+MAC if needed) and IV.


This approach ensures that the IV is chosen in a rigid fashion and thus
eliminates a possible area of manipulation as any change to the salt will
prevent decryption and authentication of the message as well.










On Mon, May 14, 2018 at 12:39 PM, Richard Barnes <rlb@ipv.sx> wrote:

> Russ: Is there some more work to be done here to address the CBC/CFB
> issues?  Even if the encapsulation has AEAD support, maybe there's some
> negotiation thingy?
>
> On Mon, May 14, 2018, 12:37 Russ Housley <housley@vigilsec.com> wrote:
>
>>
>> On May 14, 2018, at 12:35 PM, Paul Wouters <paul@nohats.ca> wrote:
>>
>> On May 14, 2018, at 12:29, Russ Housley <housley@vigilsec.com> wrote:
>>
>> We are working on text for S/MIME that says that each portion of a MIME
>> multi-part needs to be handled in its own sandbox.  The direct exfiltration
>> that is described happens because the mail user agent glues the various
>> portions together for display to the user, which in the example on the web
>> page causes an image to be fetched from the attacker's website with the
>> message plaintext as part of the URL.
>>
>>
>> So that’s the bandaid. What and where will work be done on a solution?
>>
>>
>> LAMPS just sent an update to the S/MIME message document to the IESG.  My
>> guess is that there will be discussion on the spasm@ietf.org mail list.
>>
>> Russ
>>
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://www.ietf.org/mailman/listinfo/spasm
>>
>