Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Experimental: Symmetric Keys and Forwarding #141

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

Experimental: Symmetric Keys and Forwarding #141

wants to merge 11 commits into from

Conversation

wussler
Copy link
Contributor

@wussler wussler commented Jan 17, 2023

Forwarding

An offline OpenPGP user might want to automatically forward part or all of their email messages to third parties. Given that messages are encrypted, this requires transforming them into ciphertexts decryptable by the intended forwarded parties, while maintaining confidentiality and authentication. This can be achieved using Proxy transformations on the Curve25519 elliptic curve field with minimal changes to the OpenPGP protocol, in particular no change is required on the sender side. In this document we implement the forwarding scheme described in OpenPGP Email Forwarding Via Diverted Elliptic Curve Diffie-Hellman Key Exchanges.

Symmetric keys

It is sometimes useful to encrypt data under some symmetric key. While this was possible to do using passphrase-derived keys, there was no support for long-term storage of the keys that was used to encrypt the key packets.

To solve this, a new type of key is introduced. This key will hold a symmetric key, and will be used for both encryption and decryption of data. Specifically, as with asymmetric keys, the actual data will be encrypted using a session key, generated ad-hoc for these data. Then, instead of using a public key to encrypt the session key, the persistent symmetric key will be used instead, to produce a, so to say, Key Encrypted Key Packet.

Conversely, instead of using a private key to decrypt the session key, the same symmetric key will be used. Then, the decrypted session key can be used to decrypt the data packet, as usual.

As with the case of AEAD keys, it is sometimes useful to "sign" data with a persistent, symmetric key.

This key holds a symmetric key, which can be used for both signing and verifying the integrity of data. While not strictly needed, the signature process will first generate a digest of the data-to-be-signed, and then the key will be used to sign the digest, using an HMAC construction.

For technical reasons, related to this implementation of the openpgp protocol, the secret key material is also stored in the newly defined public key types. Future contributors must take note of this, and not export or serialize that key in a way that it will be publicly available.

Since symmetric keys do not have a public and private part, there is no point serializing the internal "public key" structures. Thus, symmetric keys are skipped when serializing the public part of a keyring.

openpgp/forwarding.go Outdated Show resolved Hide resolved
openpgp/forwarding.go Outdated Show resolved Hide resolved
openpgp/forwarding.go Show resolved Hide resolved
@wussler wussler force-pushed the Proton branch 2 times, most recently from bf6b325 to 08c6691 Compare April 26, 2023 10:28
@lubux lubux force-pushed the Proton branch 2 times, most recently from e48ac98 to 1310627 Compare January 18, 2024 14:34
@lubux lubux force-pushed the Proton branch 2 times, most recently from 0b33f7b to 5cc763e Compare July 18, 2024 12:11
@twiss twiss mentioned this pull request Sep 25, 2024
@lubux lubux force-pushed the Proton branch 3 times, most recently from e709df1 to 9c0359b Compare November 8, 2024 15:05
@twiss twiss force-pushed the Proton branch 2 times, most recently from e5928a3 to 8a59df2 Compare November 12, 2024 16:12
lubux and others added 5 commits November 25, 2024 14:28
It is sometimes useful to encrypt data under some symmetric key.
While this was possible to do using passphrase-derived keys, there was
no support for long-term storage of the keys that was used to encrypt
the key packets.

To solve this, a new type of key is introduced. This key will hold a
symmetric key, and will be used for both encryption and decryption of
data. Specifically, as with asymmetric keys, the actual data will be
encrypted using a session key, generated ad-hoc for these data.
Then, instead of using a public key to encrypt the session key, the
persistent symmetric key will be used instead, to produce a, so to say,
Key Encrypted Key Packet.

Conversly, instead of using a private key to decrypt the session key,
the same symmetric key will be used. Then, the decrypted session key
can be used to decrypt the data packet, as usual.

As with the case of AEAD keys, it is sometimes useful to "sign"
data with a persistent, symmetric key.

This key holds a symmetric key, which can be used for both signing and
verifying the integrity of data. While not strictly needed, the
signature process will first generate a digest of the data-to-be-signed,
and then the key will be used to sign the digest, using an HMAC
construction.

For technical reasons, related to this implenetation of the openpgp
protocol, the secret key material is also stored in the newly defined
public key types. Future contributors must take note of this, and not
export or serialize that key in a way that it will be publicly availabe.

Since symmetric keys do not have a public and private part, there is no
point serializing the internal "public key" structures. Thus, symmetric
keys are skipped when serialing the public part of a keyring.
Squashed commits:
Update KDF to use SHA3-256
[5ff62f7] WIP: bump to draft-ietf-openpgp-pqc-01
[3949477] Import CIRCL fork with ML-KEM and ML-DSA
[5033a18] Update implementation from draft v1 to v3
- Remove v6 binding for PQC KEMs
- Update KDF
- Update reference comments
- Rename SPHINCS+ to SLH-DSA
- Rename Dilithium to ML-DSA
- Rename Kyber to ML-KEM
- Add vectors generated with RNP
- Fix misc bugs and improve tests
[c53e2e3] Add benchmarking
[d832873] Add read-write tests
[8254a42] Bind PQC packets to v6
[21f33d3] Change testdata for Kyber keys and prepare for v6 PKESK
[fa295de] Change domain separation
[c5bc3c1] Add SPHINCS+ signature support
[603ced6] Add references and clean code
[9b26049] Prefer PQ keys
[6e5ec9c] Add hybrid Kyber + ECDH, Dilithium + EC/EdDSA support
[4d1ed63] Adapt PQC to the v2 API
[3661202] Remove sphincs PQC logic
[2a463c8] Remove PQC algorithms with brainpool and nist curves
[29ee4e6] Update links to PQC draft-rfc
[a75af1c] feat: Update to latest circle version
[587aac2] feat: Derive ML-DSA keys from seed
[ec6b930] feat: Fallback to AES256 if all recipients are PQ
[1c0666f] refactor:  Improve mlkem readability
[5d56595] feat: Integrate review feedback
[cd836af] feat: Update circl to v1.5.0
[902b302] chore: Add kmac back
[cee95ab] feat: Update to new kmac key combiner in kem
[086f153] Disallow v4 PQC KEM keys
[2440667] feat: Add seed format for ML-KEM
[3052ac2] feat: Integrate ML-DSA seed fromat
[c00cd40] feat: Update kem key combinder to latest version
[9677cf4] feat: Avoid panic on key size in kmac
[1bd89db] fix: Kem key combiner should use the kmac correct key
[28848f7] feat: Force SHA3 for ML-DSA
[6faefab] feat: Enforce SHA3 in clearsing API in ML-DSA
[5de74a1] refactor: Add HandleSpecificHash method on PublicKeyAlgorithm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants