MDC checking #1142
Comments
|
This issue was originally reported by Patrick Brunschwig at https://bugzilla.mozilla.org/show_bug.cgi?id=1638645 which also has a test message attached. The message is encrypted for Alice's key from https://gitlab.com/openpgp-wg/openpgp-samples |
|
@kaie Thanks for reporting. I think we should also return some error code (like RNP_ERROR_LOW_SECURITY) instead of RNP_SUCCESS for such operation. |
|
Maybe like this? |
|
The encryption flag was added because of issue 1107. |
I'd prefer slightly change this:
I can do PR with all these changes but slightly later, once finished with other tasks in queue. [
{
"header":{
"offset":0,
"tag":1,
"tag.str":"Public-Key Encrypted Session Key",
"raw":"85020c",
"length":524,
"partial":false,
"indeterminate":false
},
"version":3,
"keyid":"5f5fdf400616a9cf",
"algorithm":1,
"algorithm.str":"RSA (Encrypt or Sign)",
"material":{
"m.bits":4093
}
},
{
"header":{
"offset":527,
"tag":1,
"tag.str":"Public-Key Encrypted Session Key",
"raw":"845e",
"length":94,
"partial":false,
"indeterminate":false
},
"version":3,
"keyid":"4766f6b9d5f21eb6",
"algorithm":18,
"algorithm.str":"ECDH",
"material":{
"p.bits":263,
"m.bytes":48
}
},
{
"header":{
"offset":623,
"tag":9,
"tag.str":"Symmetrically Encrypted Data",
"raw":"c97d",
"length":125,
"partial":false,
"indeterminate":false
}
}
] |
|
Your rnp_op_verify_get_protection_mode API suggestion seems fine. I'd prefer to avoid having to interpret the raw package dump. |
|
@kaie Got it. Will make a PR as soon as I'll get to this. |
|
I wonder how additional attributes about the encryption could get obtained. I think we should have a way query which ciphersuites were used to encrypt the message (public key and symmetric). Should we use the same API to also provide this information, and use an integer as the output parameter, not a bool? It could be used to query The application might want to have a whitelist of algorithms that are considered "sufficiently secure", and only show security indicators for messages that use an algorithm from the whitelist. |
|
Another argument for not parsing the packet dump ourselves is, the JSON output format might not be guaranteed to be stable over time. A defined API seems more future safe. |
|
Another idea to be even more flexible. Two input parameters:
Two output parameters:
Which output parameter is filled is decided by the implementation, based on the value being queried. I don't know if this makes sense, or if we're rebuilding the flexibility of JSON. |
|
Actually, given that the tag numbers and algorithms identifiers are officially defined, maybe your original suggestion to look at the package dump makes sense after all. I'll think about it a bit more. |
|
@kaie We definitely should provide some easy interface to obtain this information, JSON output was proposed as the temporary solution/or solution for cases where more detailed information is needed. Also idea is to keep JSON output format the same, together with FFI interface. I.e. use rule 'new things could be added, old things should not be changed'. What do you think about the following approach with 3+ functions:
|
If these are mutually exclusive, would a string return value better? It would avoid having to call the function multiple times.
'none' would indicate that no encryption layer was present? Does OpenPGP define a way to use an encryption layer with a null cipher for testing? If yes, how would we distinguish that?
seems good overall |
All FFI calls return RNP_SUCCESS or error code, so this one should follow the same rule. And why would you need to call it multiple times? It would allocate memory itself (on success), like any other function, and there is only single possible result.
There is no null cipher in OpenPGP, but anyway we would be able to use string 'null' for that, for instance. |
Sorry, I had missed that you defined rnp_op_verify_get_protection_mode uses two output parameters. (I had falsely assumed its one input and one output.) |
|
Just an inconsequential side note: OpenPGP does specify a null cipher (see section 9.2 id 0 - "Plaintext or unencrypted data"), although I have never seen it supported in practice. If you try to decrypt such a packet with gpg, you get an error "Invalid cipher algorithm". |
|
@lambdafu Thanks for the clarification. If that would ever required we may return 'null' instead of 'none' so such case may be checked by caller. |
|
@ni4 Would it be possible to add another output parameter to rnp_op_verify_get_protection_info, in order to obtain the rnp_key_handle_t of the local secret key that was used to decrypt the message? (This would be a more reliable and direct way than the key unlock callback.) This could be used to learn which encryption mechanism was used to to transport the message key. |
|
Alternatively, it could be a separate API. If you don't like the suggestion, or if want to think more about it, then in the meantime I can keep using the unlock callback to get that information. |
|
IIUC, the "mode" parameter tells us, which mechanism the message intended to use. And parameter "valid" tells us, if that mechanism was successfully used, or if the related checks failed. Because there aren't any checks for mechanism "cfb", you want to always return "false" for cfb. That seems fine. Now I have an additional idea. Instead of returning the key handle for the related secret key, you could simply return the algorithm of the related public/private key (or decryption operation). So the output parameters of rnp_op_verify_get_protection_info would inform about both the symmetric cipher, and about the public/private key cipher that was used for decrypting the message. |
This functionality is planned in the next PR I mentioned - something like Returning only the information about the key, used during decryption, is not enough from the security perspective. Say, message can be encrypted to 4096-bit RSA key, but it is also encrypted to the 512-bit old RSA key, or with password with 16 hashing iterations. I.e. encryption strength is the lowest one from the recipient list. |
|
Ok, makes sense. |
If an encrypted message doesn't have MDC, then RNP will decrypt it without warning.
Function rnp_op_verify_execute returns zero (good status).
Lack of MDC is considered a security issue, and an email agent should usually reject messages that don't use MDC.
Does RNP offer a mechanism to learn about the lack of MDC in a decrypted message?
If not, how about adding an API with a rnp_op_verify_t parameter, that can be called after the operation, and which will return details of the decryption operation?
The text was updated successfully, but these errors were encountered: