[messaging] Transparency for E2E encrypted messaging at a centralized service
michael at briarproject.org
Thu Mar 27 03:03:44 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 26/03/14 17:51, Daniel Kahn Gillmor wrote:
> All OpenPGP message encryption is symmetric , it's just preceded
> by PK-ESK ("public key encrypted session key") packet  that
> allows the holder of a secret key to discover the symmetric session
> key used for encryption. "gpg --symmetric" just emits a SK-ESK
> ("symmetric-key encrypted session key") packet  instead of (or
> in addition to) the PK-ESK.
> And of course, OpenPGP has message signatures, which clearly do
> cover strong integrity protection, but bundle it with
> proof-of-origin. These can be layered inside a typical encrypted
> message, regardless of whether you use a PK-ESK or SK-ESK.
> The MDC ("Modification Detection Code" packet)  is really there
> to protect against the truncation of encrypted (but unsigned)
> If you wanted to cobble together stronger message integrity but for
> some reason didn't want any strong binding to a proof of origin or
> a long-term key, i suppose you could create a temporary public
> key, include it in the encrypted message, have it sign the
> cleartext message, and include the signature packet as well.
> I don't know of any tool that does this, though, and i'm not sure
> what the use case would be.
Thanks for the confirmation. The use case was quoted in my message:
> In an online-encrypted document sharing model, for the 98%, this
> with a symmetric key you choose, and stored online by the service.
> OpenPGP-decrypts the document using the password they received
> out-of-band, and downloads it. For the 2%, they PGP-encrypt the
> document using gpg, and upload it, communicate the secret out of
> PGP-decrypt it using gpg. If you build the service correctly, the
> service won't know ahead of time if the document is going to be
> user without a chance of detection.
If I understand correctly, this would require signatures as OpenPGP
doesn't provide MACs, and the public signature key would have to be
shared out-of-band along with the password.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Messaging