[messaging] Transparency for E2E encrypted messaging at a centralized service

Wed Mar 26 10:51:15 PDT 2014

On 03/26/2014 01:39 PM, Michael Rogers wrote:
> A nitpick, but does OpenPGP support integrity protection for symmetric
> encryption? Last time I looked it just had some kind of hash-based
> checksum that the docs warned was not intended to be a real MAC.

All OpenPGP message encryption is symmetric [0], it's just preceded by
PK-ESK ("public key encrypted session key") packet [] that allows the
holder of a secret key to discover the symmetric session key used for
encryption.  "gpg --symmetric" just emits a SK-ESK ("symmetric-key
encrypted session key") packet [2] instead of (or in addition to) the
PK-ESK.

And of course, OpenPGP has message signatures, which clearly do cover
strong integrity protection, but bundle it with proof-of-origin. These
can be layered inside a typical encrypted message, regardless of whether
you use a PK-ESK or SK-ESK.

The MDC ("Modification Detection Code" packet) [3] is really there to
protect against the truncation of encrypted (but unsigned) messages.

If you wanted to cobble together stronger message integrity but for some
reason didn't want any strong binding to a proof of origin or a
long-term key, i suppose you could create a temporary public key,
include it in the encrypted message, have it sign the cleartext message,
and include the signature packet as well.

I don't know of any tool that does this, though, and i'm not sure what
the use case would be.

	--dkg

[0] https://tools.ietf.org/html/rfc4880#section-5.7
[1] https://tools.ietf.org/html/rfc4880#section-5.1
[2] https://tools.ietf.org/html/rfc4880#section-5.3
[3] https://tools.ietf.org/html/rfc4880#section-5.14

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140326/1d9e83f5/attachment.sig>