Message kit contents

[fjarri]

There are some issues with MessageKits that should be resolved before 6.0 since they change its serialization format, and it's a protocol object. The issues below are not orthogonal, and answering one of them may resolve or invalidate others.

1. Should we allow unsigned message kits (encrypt_and_sign() called without a signer)? Currently this capability is only used once in test, and message kits created this way cannot be deserialized (since the splitter assumes that there is a verifying key saved). So it is unlikely that anyone is currently using this functionality.

2. Should we give a choice of signing plaintext/ciphertext to the user? In what situations would they choose one over the other? Should we do it at all, or let the user handle signing of their own data? Also note that currently if we choose to sign the ciphertext, the resulting signature is not serialized, so the deserialized object is in an invalid state.

3. Assuming that we do not allow unsigned messages, does it still make sense to attach the signature presence flag to the plaintext and encrypting it?

4. The signature presence flag (if it's still required) needs to be made portable - see [WIP] Remove dynamic constants from cryptography products #2556

5. What is the proper way of handling the sender's verifying key? It is useful if one gets it from a separate channel, but if it is attached to the message, and we just check the message signature against the message key, we won't notice if the whole message kit got replaced midway.

   Currently in the code this happens if retrieve is called via BobInterface - Enrico is created there from the message kit's verifying key, so the whole sender check is useless. The only way to actually check it is to call retrieve programmatically and pass it an Enrico created using a data from a separate source. But: creating a whole character just to compare two public keys seems like an overkill, and it won't work if we want to decrypt messages from several Enricos.

6. Should the encrypt_for interface return the message kit and the signature? Is the signature ever used by itself? It's already embedded into the message kit.

[fjarri]

Ok, let's get things going on this. #2802 is being blocked.

First, we don't want to encrypt, then sign: ciphertext can be replaced along with the signature, and there is a possibility of signature forgery by the receiver (granted, it's been demonstrated for RSA and El Gamal, but who knows). So let's not sign the ciphertext.

Second, we don't want to include the sender's verifying key in plaintext with the kit. Since we don't sign ciphertexts, it can be easily replaced, so it doesn't really tell us anything.

We currently have three scenarios where we need to decide on what to sign/what to include with the message kit.

Enrico encrypts for Alice [to reencrypt]

We want to sign the plaintext to establish authorship, but we also want to include Alice's key in the signed plaintext, to prevent "surreptitious forwarding" (Alice repackaging Enrico's message for someone else). Can be Alice's verifying key, can be the policy key (or a hash of one).

Should we give the user an option to opt out? I think not, at least not at the start. The only reason one wouldn't want that is performance, and if that becomes an issue, we can introduce the optionality of signing later - easier than making it mandatory if it was optional to begin with. This, of course, requires the combined plaintext to be another Versioned object.

Publisher encrypt a treasure map for Bob

Bob wants to be sure the map was packaged by the Publisher, so we need to sign the plaintext, same as in Enrico's case. Forwarding is less of a problem than in Enrico's case, since the map doesn't contain any sensitive info, but if he's tricked by another Bob encrypting the map for him, he will waste time, because he won't be able to decrypt what he retrieved. So... I guess, include Bob's key in the signed message too? Again, we may go with his verifying key or his encrypting key.

Also, as a side note, why don't we encrypt the map for Porter? Why send it in plaintext?

Publisher encrypts a keyfrag for Ursula

This is a little different from the previous two cases, since Ursula only cares if the keyfrag is associated with a paid-for HRAC, and this is already enforced by AuthorizedKeyFrag (signed by the Publisher). So the Publisher does not really need to sign the plaintext again (or, we might do that, and get rid of the internal signature in AKFrag instead).

Does Ursula care about forwarding? If Ursula's key is not included in the signed message, Ursula can theoretically get the kfrag, and repackage it for another Ursula, creating a full ReencryptionRequest which will have to be handled. Not very useful, but Ursula can spam around this request, and it will be absolutely legitimately looking. So maybe include Ursula's key too.

---

So, it seems that for all three cases we want the message kit to be encrypt(signature(payload) + payload), where payload = message + hash(receivers_key). I do want to separate these three message kits into separate classes though, to allow for independent format change later.

Thoughts?

[jMyles]

This is a great issue.

My general response, at a high-level, is that it's preferable to maintain the kits API as a use-case-agnostic framework for misuse-resistant content transmission, and that we're better suited if while writing it we go out of our way to forget the ways in which we presently implement it.

Nevertheless, the specific scenarios you've outlined obviously warrant discussion. So:

1) Enrico encrypts for Alice [to reencrypt]

I'm afraid I'm unfamiliar with this one. Am I just spacing on it? When do we have enrico encrypting for Alice? And, given that Alice's DelegatingPower represents the keys to the kingdom for the Policy (well, label) in question, what's the impetus for causing inconvenience for her in the scenario that she, for whatever reason, wants to pass data on in a way that Enrico doesn't like?

2) Publisher encrypt a treasure map for Bob

I generally agree with the view you've expressed here. And also, yes, it makes sense to encrypt for the Porter endpoint (though, does Porter presently have a DecryptingPower?) - do we foresee a need to do this beyond requiring TLS?

3) Publisher encrypts a keyfrag for Ursula

Ursula can theoretically get the kfrag, and repackage it for another Ursula, creating a full ReencryptionRequest which will have to be handled.

Presumably this is the work of Vladimir, not Ursula. ;-)

My first thought while reading this is: if Ursula is verifying payment (ergo, that she herself is being paid to service the Policy), isn't this sufficient? Or are you concerned that others among the same Policy cohort will attempt this funny-business?

First, we don't want to encrypt, then sign: ciphertext can be replaced along with the signature, and there is a possibility of signature forgery by the receiver (granted, it's been demonstrated for RSA and El Gamal, but who knows). So let's not sign the ciphertext.

I'm still not convinced that there aren't times we'll want to sign the ciphertext additionally, in order to for attestations to be possible in posterity.

[fjarri]

I'm afraid I'm unfamiliar with this one. Am I just spacing on it? When do we have enrico encrypting for Alice?

Essentially, since Alice knows the private key corresponding to the public key we use for encryption, Enrico is encrypting for Alice. But, of course, the intended recipient is Bob (or Bobs as the case may be). Regardless of what you choose to call it, it's our main message kit usage scenario.

And, given that Alice's DelegatingPower represents the keys to the kingdom for the Policy (well, label) in question, what's the impetus for causing inconvenience for her in the scenario that she, for whatever reason, wants to pass data on in a way that Enrico doesn't like?

If I parsed that correctly, you're saying that you don't see the use of including Alice's key in the signed plaintext? It wouldn't be any inconvenience for her since, ideally, Alice will never have to decrypt the message kit at all. But Bob may check (if he cares) that the message was prepared for the "official distributor" (the same as the author of kfrags), and not repackaged for Alice-2 who then began to distribute it instead. In other words, by signing the Alices key into the message Enrico declares that he delegated the distribution rights to that Alice and no-one else.

My first thought while reading this is: if Ursula is verifying payment (ergo, that she herself is being paid to service the Policy), isn't this sufficient? Or are you concerned that others among the same Policy cohort will attempt this funny-business?

I am not sure about possible misuse scenarios, just tried to imagine a possible one. Yes, I agree, if Ursula checks if she has been paid to handle this specific HRAC, one won't be able to forge a ReencryptionRequest this way.

I'm still not convinced that there aren't times we'll want to sign the ciphertext additionally, in order to for attestations to be possible in posterity.

On one hand, we have not discovered any benefit in doing that in all the years we've been working on the codebase. On the other hand, if we do, implementing it will be a minor version bump in the protocol versioning, won't it? So we can decide it later.

Also, from my cursory search on the issue, it seems that encrypt-then-sign is not the recommended way to do things (see e.g. this article). Perhaps @cygnusv is more familiar with this.

[derekpierre]

Also, as a side note, why don't we encrypt the map for Porter? Why send it in plaintext?

Why would we need to encrypt the map for Porter? The unencrypted treasure map provides a threshold, hrac, and ursula address -> encrypted kfrag mappings.

A Porter service in production is expected to run over HTTPS, so communication between the caller and Porter would be over an encrypted channel. Anyone using an HTTP Porter service would be doing so at their own risk 😱 ☠️ .