[147674] in cryptography@c2.net mail archive
[Cryptography] Encoding Key Identifiers in email addresses
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Tue Oct 15 13:51:35 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 15 Oct 2013 13:43:53 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============0425100264729519024==
Content-Type: multipart/alternative; boundary=089e0158b866d4be4f04e8cb202a
--089e0158b866d4be4f04e8cb202a
Content-Type: text/plain; charset=ISO-8859-1
I was noodling round with the problem of how to force an existing client to
do the right thing with respect to encryption. One option is to have an
email gateway do opportunistic encryption if it can find a key. Which is OK
but lacks user control.
I don't like the idea of user control coming from the UI because I have to
let the user make use of any email client they like, even ones that can't
cope with top posting. So I can't assume that there will be buttons to
press to say 'encrypt this message'. And that is not what I want in any
case.
What I probably want is the ability to force use of end-to-end encryption
for a small number of users like my clients, the lawyers, various crypto
folk. Something like the https scheme for SSL.
This is what I came up with (cut and pasted from the manual):
Private Key Example
Alice uses a key generation tool to generate a public keypair. The public
parameters in hexadecimal are:
Modulus :
db 13 46 62 02 6d c3 4b 98 24 e1 f9 a8 ca 61 3a
3f 95 f3 d6 c0 45 5a fe 2d be 1d d7 76 d5 95 02
f4 f9 1b 42 b5 7f 3b 14 f5 79 4c 34 f3 9f 04 07
ba d2 52 30 dd 61 b3 4a 56 db 4b 12 b7 8b 87 55
23 39 3a f5 a1 f0 6d 10 4e e8 bb 08 9f b0 66 92
20 47 20 b4 77 4d 89 a6 58 a2 01 da 05 54 36 1b
47 3e e0 dc 0b 4e 53 c1 c3 7d cd cf f7 b3 bf 7e
45 38 5c 0c 0c 13 33 bb c7 da e6 c1 7d 37 f3 99
Exponent :
01 00 01
The Key Identifier is calculated using SHA512 and truncated to 224 bits to
produce the Key Identifier value. The Key Identifier in Base32 encoding is:
KeyIdentifier: ACACEA-H7MBAA-LAA2RMA-FUAAFQ-AADHAHS-KNAL3A-DPZJAJ-KAA
An email sender may send email to Alice through a compliant gateway as
follows: alice@example.com Send email to Alice using encryption if and only
if an encryption key for Alice can be found and Alice has published the
email encryption policy 'encryption preferred' or stronger. ?
alice@example.com Send email to Alice using encryption if and only if an
encryption key for Alice can be found, otherwise report an error.
ACACEA-H7MBAA-LAA2RMA-FUAAFQ-AADHAHS-KNAL3A-DPZJAJ-KAA?alice@example.com Send
email to Alice using encryption if and only if an encryption key for Alice
can be found that is directly endorsed under the specified key, otherwise
report an error. ACACEA-H7MBAA-LAA2RMA-FUAAFQ-AADHAHS-KNAL3A-DPZJAJ-KAA??
alice@example.com Send email to Alice using encryption if and only if an
encryption key for Alice can be found that is (directly or indierectly)
endorsed under the specified key, otherwise report an error.
We can reduce the length of the key identifier from the 224 bits above to
128 bits if it is a personal key identifier.
In the scheme I am thinking of, the key identifier would be either a PGP v4
key or the hash of the PKIX PublicKeyInfo blob in DER format with an
algorithm identifier plastered on the front.
I am trying to work out how to do the truncation securely using standard
crypto libraries that don't allow the initial IV to be set. (The NIST
approach is broken in that regard).
--
Website: http://hallambaker.com/
--089e0158b866d4be4f04e8cb202a
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>I was noodling round with the problem of how to force=
an existing client to do the right thing with respect to encryption. One o=
ption is to have an email gateway do opportunistic encryption if it can fin=
d a key. Which is OK but lacks user control.=A0</div>
<div><br></div><div>I don't like the idea of user control coming from t=
he UI because I have to let the user make use of any email client they like=
, even ones that can't cope with top posting. So I can't assume tha=
t there will be buttons to press to say 'encrypt this message'. And=
that is not what I want in any case.</div>
<div><br></div><div>What I probably want is the ability to force use of end=
-to-end encryption for a small number of users like my clients, the lawyers=
, various crypto folk. Something like the https scheme for SSL.</div><div>
<br></div><div>This is what I came up with (cut and pasted from the manual)=
:</div><div><br></div><h2>Private Key Example</h2>
<p>
Alice uses a key generation tool to generate a public keypair. The public
parameters in hexadecimal are:
</p>
<pre>Modulus :=20
db 13 46 62 02 6d c3 4b 98 24 e1 f9 a8 ca 61 3a
3f 95 f3 d6 c0 45 5a fe 2d be 1d d7 76 d5 95 02
f4 f9 1b 42 b5 7f 3b 14 f5 79 4c 34 f3 9f 04 07
ba d2 52 30 dd 61 b3 4a 56 db 4b 12 b7 8b 87 55
23 39 3a f5 a1 f0 6d 10 4e e8 bb 08 9f b0 66 92
20 47 20 b4 77 4d 89 a6 58 a2 01 da 05 54 36 1b
47 3e e0 dc 0b 4e 53 c1 c3 7d cd cf f7 b3 bf 7e
45 38 5c 0c 0c 13 33 bb c7 da e6 c1 7d 37 f3 99
Exponent :
01 00 01</pre>
The Key Identifier is calculated using SHA512 and truncated to 224 bits to
produce the Key Identifier value. The Key Identifier in Base32 encoding is:
<pre>KeyIdentifier: ACACEA-H7MBAA-LAA2RMA-FUAAFQ-AADHAHS-KNAL3A-DPZJAJ-KAA
</pre>
An email sender may send email to Alice through a compliant gateway as
follows:
<dl>
<dt><a href=3D"mailto:alice@example.com">alice@example.com</a></dt>
<dd>Send email to Alice using encryption if and only if an encryption key=
=20
for Alice can be found and Alice has published the email encryption
policy 'encryption preferred' or stronger.</dd>
<dt>?<a href=3D"mailto:alice@example.com">alice@example.com</a></dt>
<dd>Send email to Alice using encryption if and only if an encryption key=
=20
for Alice can be found, otherwise report an error.</dd>
<dt>ACACEA-H7MBAA-LAA2RMA-FUAAFQ-AADHAHS-KNAL3A-DPZJAJ-KAA?<a href=3D"mailt=
o:alice@example.com">alice@example.com</a></dt>
<dd>Send email to Alice using encryption if and only if an encryption key=
=20
for Alice can be found that is directly endorsed under the specified key,=
=20
otherwise report an error.</dd>
<dt>ACACEA-H7MBAA-LAA2RMA-FUAAFQ-AADHAHS-KNAL3A-DPZJAJ-KAA??<a href=3D"mail=
to:alice@example.com">alice@example.com</a></dt>
<dd>Send email to Alice using encryption if and only if an encryption key=
=20
for Alice can be found that is (directly or indierectly) endorsed under=20
the specified key, otherwise report an error.</dd></dl><div><br></div><div>=
We can reduce the length of the key identifier from the 224 bits above to 1=
28 bits if it is a personal key identifier.=A0</div><div><br></div><div>
In the scheme I am thinking of, the key identifier would be either a PGP v4=
key or the hash of the PKIX PublicKeyInfo blob in DER format with an algor=
ithm identifier plastered on the front.</div><div><br></div><div>I am tryin=
g to work out how to do the truncation securely using standard crypto libra=
ries that don't allow the initial IV to be set. (The NIST approach is b=
roken in that regard).</div>
<div><br></div><div><br></div>-- <br>Website: <a href=3D"http://hallambaker=
.com/">http://hallambaker.com/</a><br>
</div>
--089e0158b866d4be4f04e8cb202a--
--===============0425100264729519024==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============0425100264729519024==--
