It is (probably) okay to decrypt a message with a revoked, expired or weak key #6991

nwalfield · 2023-10-12T10:57:29Z

secret_key_from_cert is used by decrypt to decrypt a message:

Lines 40 to 48 in 8d00ba5

    
           /// Get the secret encryption key, which is the first and only subkey, from the cert. 
        
           pub(crate) fn secret_key_from_cert<'a>( 
        
               policy: &'a dyn Policy, 
        
               cert: &'a Cert, 
        
           ) -> Result<Key<SecretParts, UnspecifiedRole>> { 
        
               // Pull the encryption keys that are compatible with by the standard policy 
        
               // (e.g. not SHA-1) supported by Sequoia, and not revoked. 
        
               // These filter options should be kept in sync with `Helper::decrypt()`. 
        
               let keys: Vec<_> = filter_keys!(cert.keys().secret(), policy).collect();

But, there is no reason to not decrypt a message if it key is expired, revoked, the policy says the algorithms are no longer strong enough. Is there?

The text was updated successfully, but these errors were encountered:

legoktm · 2023-10-12T19:59:44Z

In the current context of SecureDrop it's a bit theoretical. Source keypairs are fully created and managed by SecureDrop, so there should never be a scenario with an expired or revoked key.

AFAIK SecureDrop has always generated keys that are compliant with the current standard policy, but I agree with you that it doesn't make sense to prevent decryption of messages because of that.

Even if a source key is no longer valid per policy, we still want them to be able to decrypt a previously valid message for them. We can also drop the revocation/expiry filters, which were mostly theoretical in the SecureDrop context anyways. Fixes #6991.

Even if a source key is no longer valid per policy, we still want them to be able to decrypt a previously valid message for them. We can also drop the revocation/expiry filters, which were mostly theoretical in the SecureDrop context anyways. We first try validating the key with the StandardPolicy before trying again with a NullPolicy to avoid downgrade attacks. Since we now have another type of policy being used, the constant has been renamed to STANDARD_POLICY to be clearer what kind it is. Fixes #6991.

Even if a source key is no longer valid per policy, we still want them to be able to decrypt a previously valid message for them. We can also drop the revocation/expiry filters, which were mostly theoretical in the SecureDrop context anyways. We first try validating the key with the StandardPolicy before trying again with a NullPolicy to avoid downgrade attacks. Since we now have another type of policy being used, the constant has been renamed to STANDARD_POLICY to be clearer what kind it is. Fixes #6991. (cherry picked from commit 3596bb0)

legoktm self-assigned this Oct 12, 2023

legoktm mentioned this issue Oct 12, 2023

redwood: Relax requirements for decrypting messages #7000

Merged

2 tasks

zenmonkeykstop closed this as completed in #7000 Oct 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

It is (probably) okay to decrypt a message with a revoked, expired or weak key #6991

It is (probably) okay to decrypt a message with a revoked, expired or weak key #6991

nwalfield commented Oct 12, 2023

legoktm commented Oct 12, 2023

It is (probably) okay to decrypt a message with a revoked, expired or weak key #6991

It is (probably) okay to decrypt a message with a revoked, expired or weak key #6991

Comments

nwalfield commented Oct 12, 2023

legoktm commented Oct 12, 2023