[messaging] Transparency for E2E encrypted messaging at a centralized service

Michael Rogers michael at briarproject.org
Thu Mar 27 03:03:44 PDT 2014

Hash: SHA256

On 26/03/14 17:51, Daniel Kahn Gillmor wrote:
> All OpenPGP message encryption is symmetric [0], it's just preceded
> by PK-ESK ("public key encrypted session key") packet [] that
> allows the holder of a secret key to discover the symmetric session
> key used for encryption.  "gpg --symmetric" just emits a SK-ESK
> ("symmetric-key encrypted session key") packet [2] instead of (or
> in addition to) the PK-ESK.
> And of course, OpenPGP has message signatures, which clearly do
> cover strong integrity protection, but bundle it with
> proof-of-origin. These can be layered inside a typical encrypted
> message, regardless of whether you use a PK-ESK or SK-ESK.
> The MDC ("Modification Detection Code" packet) [3] is really there
> to protect against the truncation of encrypted (but unsigned)
> messages.
> If you wanted to cobble together stronger message integrity but for
> some reason didn't want any strong binding to a proof of origin or
> a long-term key, i suppose you could create a temporary public
> key, include it in the encrypted message, have it sign the
> cleartext message, and include the signature packet as well.
> I don't know of any tool that does this, though, and i'm not sure
> what the use case would be.

Hi Daniel,

Thanks for the confirmation. The use case was quoted in my message:

> In an online-encrypted document sharing model, for the 98%, this
> would look like a document being OpenPGP-encrypted in javascript
> with a symmetric key you choose, and stored online by the service.
> The recipient visits the fileshare, using javascript
> OpenPGP-decrypts the document using the password they received
> out-of-band, and downloads it. For the 2%, they PGP-encrypt the
> document using gpg, and upload it, communicate the secret out of
> band, and the recipient decrypts it using javascript. Or, they
> receive a document encrypted with javascript and download it and
> PGP-decrypt it using gpg.  If you build the service correctly, the
> service won't know ahead of time if the document is going to be
> decrypted in javascript or gpg, and thus can't reliably attack the
> user without a chance of detection.

If I understand correctly, this would require signatures as OpenPGP
doesn't provide MACs, and the public signature key would have to be
shared out-of-band along with the password.


Version: GnuPG v1.4.10 (GNU/Linux)


More information about the Messaging mailing list