[messaging] Transparency for E2E encrypted messaging at a centralized service

Thu Mar 27 03:03:44 PDT 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 26/03/14 17:51, Daniel Kahn Gillmor wrote:
> All OpenPGP message encryption is symmetric [0], it's just preceded
> by PK-ESK ("public key encrypted session key") packet [] that
> allows the holder of a secret key to discover the symmetric session
> key used for encryption.  "gpg --symmetric" just emits a SK-ESK
> ("symmetric-key encrypted session key") packet [2] instead of (or
> in addition to) the PK-ESK.
> 
> And of course, OpenPGP has message signatures, which clearly do
> cover strong integrity protection, but bundle it with
> proof-of-origin. These can be layered inside a typical encrypted
> message, regardless of whether you use a PK-ESK or SK-ESK.
> 
> The MDC ("Modification Detection Code" packet) [3] is really there
> to protect against the truncation of encrypted (but unsigned)
> messages.
> 
> If you wanted to cobble together stronger message integrity but for
> some reason didn't want any strong binding to a proof of origin or
> a long-term key, i suppose you could create a temporary public
> key, include it in the encrypted message, have it sign the
> cleartext message, and include the signature packet as well.
> 
> I don't know of any tool that does this, though, and i'm not sure
> what the use case would be.

Hi Daniel,

Thanks for the confirmation. The use case was quoted in my message:

> In an online-encrypted document sharing model, for the 98%, this
> would look like a document being OpenPGP-encrypted in javascript
> with a symmetric key you choose, and stored online by the service.
> The recipient visits the fileshare, using javascript
> OpenPGP-decrypts the document using the password they received
> out-of-band, and downloads it. For the 2%, they PGP-encrypt the
> document using gpg, and upload it, communicate the secret out of
> band, and the recipient decrypts it using javascript. Or, they
> receive a document encrypted with javascript and download it and
> PGP-decrypt it using gpg.  If you build the service correctly, the
> service won't know ahead of time if the document is going to be
> decrypted in javascript or gpg, and thus can't reliably attack the
> user without a chance of detection.

If I understand correctly, this would require signatures as OpenPGP
doesn't provide MACs, and the public signature key would have to be
shared out-of-band along with the password.

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJTM/eAAAoJEBEET9GfxSfMzGAH/j4EF4umJWmAe3Xc6sdGyqYE
tfMUvVfVatlV+/wUpVmDAt+GgJYpE11evWkGXYT0p/Yd7wRDhbmGIMXea2PJmO0w
qMnOlfn4VtokQ8Ma+GxMgJxGkbmcAx7Xe9cAl/OFGxVHKanTrpWSBQvbLE86b4Ly
/bETTTzW5ukVSWetmufMbm1LkqyT1e5elPOu+hJVFdpULOvtr9AI4M3XCt77BZZ6
AL67VlvihYae5O6AqqBSrhZkVGkUGStLK29LANvTsngqGrKLczu05Q2SoLgI1TbO
MM0ij9YAEQaz7/nw4S14L76UCqyYcNGU9UvZBbGxeChvyZPL1UUDO50EcsTt9DM=
=mAIE
-----END PGP SIGNATURE-----