From 006ef392fc4d30a4301a192ec487e08cb4b4680b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 7 Dec 2023 23:52:03 +0100 Subject: [PATCH] Big commit, should have split into smaller commits, but haven't --- book/source/11-decryption.md | 179 +++++++++++- book/source/drawio/PKESKv3-decryption.drawio | 57 ++++ book/source/drawio/PKESKv3-decryption.svg | 4 + book/source/drawio/PKESKv6-decryption.drawio | 66 +++++ book/source/drawio/PKESKv6-decryption.svg | 4 + book/source/drawio/SEIPDv1-decryption.drawio | 69 +++++ book/source/drawio/SEIPDv1-decryption.svg | 4 + .../drawio/SEIPDv2-decryption-chunks.drawio | 257 ++++++++++++++++++ .../drawio/SEIPDv2-decryption-chunks.svg | 4 + .../SEIPDv2-decryption-mk-derivation.drawio | 119 ++++++++ .../SEIPDv2-decryption-mk-derivation.svg | 4 + book/source/drawio/SKESKv4-decryption.drawio | 114 ++++++++ book/source/drawio/SKESKv4-decryption.svg | 4 + book/source/drawio/SKESKv6-decryption.drawio | 220 +++++++++++++++ book/source/drawio/SKESKv6-decryption.svg | 4 + 15 files changed, 1108 insertions(+), 1 deletion(-) create mode 100644 book/source/drawio/PKESKv3-decryption.drawio create mode 100644 book/source/drawio/PKESKv3-decryption.svg create mode 100644 book/source/drawio/PKESKv6-decryption.drawio create mode 100644 book/source/drawio/PKESKv6-decryption.svg create mode 100644 book/source/drawio/SEIPDv1-decryption.drawio create mode 100644 book/source/drawio/SEIPDv1-decryption.svg create mode 100644 book/source/drawio/SEIPDv2-decryption-chunks.drawio create mode 100644 book/source/drawio/SEIPDv2-decryption-chunks.svg create mode 100644 book/source/drawio/SEIPDv2-decryption-mk-derivation.drawio create mode 100644 book/source/drawio/SEIPDv2-decryption-mk-derivation.svg create mode 100644 book/source/drawio/SKESKv4-decryption.drawio create mode 100644 book/source/drawio/SKESKv4-decryption.svg create mode 100644 book/source/drawio/SKESKv6-decryption.drawio create mode 100644 book/source/drawio/SKESKv6-decryption.svg diff --git a/book/source/11-decryption.md b/book/source/11-decryption.md index a3e39dd..31ee3ea 100644 --- a/book/source/11-decryption.md +++ b/book/source/11-decryption.md @@ -6,6 +6,22 @@ SPDX-License-Identifier: CC-BY-SA-4.0 (decryption_chapter)= # Decryption +Message decryption is the process of taking an encrypted message and recovering its plaintext. +This involves multiple steps. + +Implementations typically first process the PKESK and SKESK packets leading the SEIPD packet to identify \*ESK packets suitable for decryption. +A PKESK packet is suitable, if it contains a recipient-keyID matching a decryption (sub-) key of the users certificate. +Typically, all \*ESK packets leading a SEIPD packet contain the same *session-key* once decrypted. + +```{note} + +Anonymous-recipient PKESK packets contain a recipient-keyID of `0`, so if no suitable non-anonymous PKESK was found, any anonymous PKESKs are tried with any available decryption (sub-) keys (see [](decryption_anonymous_recipient)). +``` + +If no suitable PKESK packets were found, SKESK packets are tried next, meaning the user is typically prompted to enter a decryption passphrase. + +Once any of these methods succeeded, the resulting *session-key* is used to decrypt the SEIPD packet. + ```{admonition} TODO :class: warning @@ -15,10 +31,171 @@ SPDX-License-Identifier: CC-BY-SA-4.0 - using revoked subkey? ``` -## SEIPD w/ AEAD (v2) +## Symmetric decryption of the session-key (SKESK) + +Decrypting a SKESK packet to recover the *session-key* is done by performing the encryption steps in reverse, based on a user-provided passphrase. + +In both version 4 and version 6 of the SKESK packet, the user is prompted to enter a passphrase, which is passed through the S2K function described by the SKESK packet. +However, the subsequent steps of the procedure are different: + +### SKESK v4 + +Here, the result of the S2K function is a symmetric key, which is either used to decrypt the encrypted session-key contained in the SKESK packet, or - less commonly - used as session-key directly. + +```{note} + +The "direct method" where the result of the S2K function is directly used as session key is only applicable if only one SKESK packet is present. +``` + +```{figure} drawio/SKESKv4-decryption.svg +:name: fig-skeskv4-decryption +:alt: Diagram depicting how the S2K function is used to derive key symmetric key from the user-provided passphrase. This key is then either used directly as session-key, or used to decrypt the encrypted session-key. + +Decrypting the session-key from a version 4 SKESK packet. +``` + +With version 4 SKESK packets, which are only used with version 1 SEIPD packets, the *session-key* is used as *message-key* without an intermediate derivation. +The symmetric cipher algorithm tag of the SKESK packet dictates the cipher algorithm used to decrypt the plaintext from the SEIPD packet. + +### SKESK v6 + +With version 6 SKESK packets, the result of the passing the passphrase through the S2K function is used as *initial keying material* (IKM) to derive a symmetric *key encryption key* using HKDF as a key derivation function. The HKDF function doesn't use any salt in this step and the *info* parameter is assembled from parameters of the SKESK packet. + +In the next step, this symmetric key is used to decrypt the *session-key* using AEAD. +The AEAD function uses information from the associated SEIPDv2 packet as *additional data*. +The function is also salted using the SEIPDv2's salt. +The *AEAD Auth Tag* of the SKESK packet is used as authentication tag. + +The result is the *session-key*. + +```{figure} drawio/SKESKv6-decryption.svg +:name: fig-skeskv6-decryption +:alt: Diagram depicting the complicated process of deriving the session-key from a SKESK version 6 packet. + +Decrypting the session-key from a version 6 SKESK packet. +``` + +## Asymmetric decryption of the session key via PKESK + +More common than SKESK packets are PKESK packets which are used for asymmetric encryption of the session-key. +Here, the recipients secret key is used to decrypt the session-key. + +### PKESK v3 + +With version 3 PKESKs, the recipients secret encryption (sub-) key is directly used to decrypt the encrypted *session key*. +The key ID of the subkey to be used is recorded in the PKESKs key-id field. A value of `0` indicates an anonymous recipient (see [](decryption_anonymous_recipient)). + +To detect, which symmetric cipher is used to decrypt the SEIPDv1 packet later on, each public key algorithm uses a slightly different encoding to unpack the symmetric algorithm tag from the decrypted session key. See sections 5.1.3 through 5.1.7 of the OpenPGP specification. Typically, the cipher algorithm ID is prefixed the the actual session key. + +```{admonition} TODO +:class: warning + +Link those sections directly +``` + +```{figure} drawio/PKESKv3-decryption.svg +:name: fig-decryption-pkesk3 +:alt: Depicts, how the the secret-key component of the users encryption subkey is directly used to decrypt the encrypted session-key. + +Decrypting the session-key from a version 3 PKESK packet. +``` + +### PKESK v6 + +The decryption of version 6 PKESK packets works quite similar to version 3. + +```{figure} drawio/PKESKv6-decryption.svg +:name: fig-decryption-pkesk6 +:alt: Depicts, how the the secret-key component of the users encryption subkey is directly used to decrypt the encrypted session-key. + +Decrypting the session-key from a version 6 PKESK packet. +``` + +Contrary to the version 3 PKESK, the encrypted session-key within the version 6 PKESK does not contain the symmetric cipher algorithm used to decrypt the SEIPD packet. +Instead, this cipher algorithm ID is encoded inside the SEIPDv2 packet directly. + +(decryption_anonymous_recipient)= +### Anonymous recipients + +Having all recipients keys listed as part of the PKESK packets presents a metadata leakage. An observer can easily enumerate recipients of a message by comparing the PKESKs with certificates of potential recipients. + +To prevent this issue, the sender can decide to add individual recipients as anonymous recipients using a wildcard key-ID / fingerprint. +This is done by creating a normal PKESK packet for the recipient, but setting the recipient key field to `0` (as well as omitting the version number of the key for v6 PKESKs). + +A recipient of such a message that does not find a PKESK addressed specifically to any of their keys, can then try to decrypt any anonymous PKESK packets using any of their encryption subkeys. + +```{admonition} TODO +:class: warning + +When did the decryption succeed? Describe quick check of the check sum and decryption of first few bytes of the SEIPD as test strategies. +``` ## SEIPD (v1) +Version 1 SEIPD packets MUST only be used with version 3 PKESK packets and/or version 4 SKESK packets. +Any other combinations are not allowed and MUST result in a broken message. + +```{note} +Since SEIPD version 1 is susceptible to downgrade attacks under certain scenarios, it is recommended to use SEIPD version 2 wherever possible. +``` + +To decrypt the contents of a version 1 SEIPD packet, the session-key obtained in the previous step is used. +The cipher algorithm is determined by TODO. + +```{adminonition} TODO +:class: warning + +Describe in detail, how the cipher algorithm is obtained. +``` + +Once the cipher is initialized, the whole encrypted data from the SEIPD packet is decrypted. + +```{admonition} TODO +:class: warning + +Describe the MDC which is used for modification detection. +``` + +```{figure} drawio/SEIPDv1-decryption.svg +:name: fig-decryption-seipd1 +:alt: Depicts how the session-key is used directly to decrypt the contents of the SEIPD packet. + +The contents of the SEIPD packet are decrypted using the session-key as message-key. +``` + + +## SEIPD w/ AEAD (v2) + +Preferred mode. +Version 2 SEIPD packets MUST only be used with version 6 PKESK packets and/or version 6 SKESK packets. +Any other combinations are not allowed and MUST result in a broken message. + +Once the session-key was obtained from a PKESK or SKESK, it is used to derive a *message-key* and an IV. This is done by passing the session-key through a salted HKDF function, where the salt is unique per message and obtained from the SEIPD packet. + +The result is split into the message key and first half of the IV. + +```{figure} drawio/SEIPDv2-decryption-mk-derivation.svg +:name: fig-decryption-seipd2-mk-derivation +:alt: Depicts how the session-key is fed into a salted HKDF to derive both the message-key and the first half of an IV. + +In a first step, a message-key and half of an IV is derived from the session-key. +``` + +Then, the contens of the SEIPDs encrypted data are split into chunks, which are processed sequentially. Each chunk is decrypted using AEAD with parameters from the SEIPD packet as *additional data*. +For each chunk, the chunk index starting at `0` is passed into the function as second half of the IV. + +All decrypted plaintext blocks are appended to form the result of the decryption process. + +After all blocks have been processed, in a last AEAD step, the total number of plaintext octets gets appended to the *additional data* and the final AEAD auth tag from the SEIPD packet is processed. + +```{figure} drawio/SEIPDv2-decryption-chunks.svg +:name: fig-decryption-seipd2-chunks +:alt: Depicts, how the message-key and index-postfixed IV are used to decrypt each individual chunk of plaintext. + +Each chunk is decrypted using AEAD using the message-key and an IV with appended chunk index. +``` + + ## SED Legacy mode, may be decrypted, but not produced. diff --git a/book/source/drawio/PKESKv3-decryption.drawio b/book/source/drawio/PKESKv3-decryption.drawio new file mode 100644 index 0000000..235b4f1 --- /dev/null +++ b/book/source/drawio/PKESKv3-decryption.drawio @@ -0,0 +1,57 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/PKESKv3-decryption.svg b/book/source/drawio/PKESKv3-decryption.svg new file mode 100644 index 0000000..28e9267 --- /dev/null +++ b/book/source/drawio/PKESKv3-decryption.svg @@ -0,0 +1,4 @@ + + + +
Secret Key
Key-ID: 0xB0B
Secret KeyKey-ID: 0x...
Asymmetric
Decryption
Asymmetric...
Symmetric Key
Symmetric Key
PKESKv3
PKESKv3
Key-ID: 0xB0B
Key-ID: 0xB0B
Asymmetric Algo.
Asymmetric Algo.
ciphertext
ciphertext
Enc. Session-Key
Enc. Session-KeyText is not SVG - cannot display \ No newline at end of file diff --git a/book/source/drawio/PKESKv6-decryption.drawio b/book/source/drawio/PKESKv6-decryption.drawio new file mode 100644 index 0000000..26142f7 --- /dev/null +++ b/book/source/drawio/PKESKv6-decryption.drawio @@ -0,0 +1,66 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/PKESKv6-decryption.svg b/book/source/drawio/PKESKv6-decryption.svg new file mode 100644 index 0000000..0a0dd87 --- /dev/null +++ b/book/source/drawio/PKESKv6-decryption.svg @@ -0,0 +1,4 @@ + + + +
Secret Key
Key-ID: 0xB0B
Version: 6
Secret Key...
Asymmetric
Decryption
Asymmetric...
Session-Key
Session-Key
PKESKv6
PKESKv6
Fingerprint: 0xB0B
Fingerprint: 0xB...
Asymmetric Algo.
Asymmetric Algo.
ciphertext
ciphertext
Enc. Session-Key
Enc. Session-Key
Key-Version: 6
Key-Version: 6Text is not SVG - cannot display \ No newline at end of file diff --git a/book/source/drawio/SEIPDv1-decryption.drawio b/book/source/drawio/SEIPDv1-decryption.drawio new file mode 100644 index 0000000..4e86af7 --- /dev/null +++ b/book/source/drawio/SEIPDv1-decryption.drawio @@ -0,0 +1,69 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/SEIPDv1-decryption.svg b/book/source/drawio/SEIPDv1-decryption.svg new file mode 100644 index 0000000..09c1962 --- /dev/null +++ b/book/source/drawio/SEIPDv1-decryption.svg @@ -0,0 +1,4 @@ + + + +
key
key
Message-Key
(Session-Key)
Message-Key(Session-...
SEIPDv1
SEIPDv1
Encrypted Data
Encrypted Data
Symmetric
Decryption
Symmetric...
algorithm
algorithm
Extract
Cipher
Algorithm
Extract...
ciphertext
ciphertext
Plaintext
PlaintextText is not SVG - cannot display \ No newline at end of file diff --git a/book/source/drawio/SEIPDv2-decryption-chunks.drawio b/book/source/drawio/SEIPDv2-decryption-chunks.drawio new file mode 100644 index 0000000..e38b132 --- /dev/null +++ b/book/source/drawio/SEIPDv2-decryption-chunks.drawio @@ -0,0 +1,257 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/SEIPDv2-decryption-chunks.svg b/book/source/drawio/SEIPDv2-decryption-chunks.svg new file mode 100644 index 0000000..7376d21 --- /dev/null +++ b/book/source/drawio/SEIPDv2-decryption-chunks.svg @@ -0,0 +1,4 @@ + + + +
key
key
key
key
Message-Key
Message-Key
SEIPDv2
SEIPDv2
Cipher Algo.
Cipher Algo.
AEAD Algo.
AEAD Algo.
Chunk Size
Chunk Size
Salt
Salt
Encrypted Data
Encrypted Data
ciphertext
ciphertext
Final AEAD
Auth Tag
Final AEAD...
IV
IV
AD
AD
Packet Type ID,
Version Number,
Cipher Algo,
AEAD Algo,
Chunk Size
Packet Type ID,...
Packet Type, Version
Packet Type, Version
+
+
toChunk(i)
toChunk(i)
append
chunk
index(i)
append...
Chunk #i
Chunk #i
nonce
nonce
nonce
nonce
Nonce #i
Nonce #i
ciphertext
ciphertext
Tag #i
Tag #i
AEAD
AEAD
Plaintext Block #i
Plaintext Block #i
Final
AEAD
Step
Final...
AD
AD
AD,
#Plaintext Octets
AD,...
AD
AD
""
""Text is not SVG - cannot display \ No newline at end of file diff --git a/book/source/drawio/SEIPDv2-decryption-mk-derivation.drawio b/book/source/drawio/SEIPDv2-decryption-mk-derivation.drawio new file mode 100644 index 0000000..5f7dba1 --- /dev/null +++ b/book/source/drawio/SEIPDv2-decryption-mk-derivation.drawio @@ -0,0 +1,119 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/SEIPDv2-decryption-mk-derivation.svg b/book/source/drawio/SEIPDv2-decryption-mk-derivation.svg new file mode 100644 index 0000000..7491d2d --- /dev/null +++ b/book/source/drawio/SEIPDv2-decryption-mk-derivation.svg @@ -0,0 +1,4 @@ + + + +
Message-Key
Message-Key
SEIPDv2
SEIPDv2
Cipher Algo.
Cipher Algo.
AEAD Algo.
AEAD Algo.
Chunk Size
Chunk Size
salt
salt
Salt
Salt
Encrypted Data
Encrypted Data
Final AEAD
Auth Tag
Final AEAD...
IKM
IKM
Session-Key
(decrypted from PKESK/SKESK)
Session-Key...
HKDF
HKDF
IV
IV
info
info
Packet Type ID,
Version Number,
Cipher Algo,
AEAD Algo,
Chunk Size
Packet Type ID,...
Packet Type, Version
Packet Type, Version
+
+Text is not SVG - cannot display \ No newline at end of file diff --git a/book/source/drawio/SKESKv4-decryption.drawio b/book/source/drawio/SKESKv4-decryption.drawio new file mode 100644 index 0000000..0a8c28f --- /dev/null +++ b/book/source/drawio/SKESKv4-decryption.drawio @@ -0,0 +1,114 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/SKESKv4-decryption.svg b/book/source/drawio/SKESKv4-decryption.svg new file mode 100644 index 0000000..879f6bc --- /dev/null +++ b/book/source/drawio/SKESKv4-decryption.svg @@ -0,0 +1,4 @@ + + + +
Passphrase
Passphrase
S2K Function
S2K Function
Session Key
Session Key
Symmetric Key
Symmetric Key
SKESKv4
SKESKv4
Cipher Algo.
Cipher Algo.
S2K Identifier
S2K Identifier
ciphertext
ciphertext
Enc. Session-Key
Enc. Session-Key
yes
yes
key
key
no
no

Is
Encrypted
Session-Key
present
Is...
Symmetric
Decryption
Symmetric...Text is not SVG - cannot display \ No newline at end of file diff --git a/book/source/drawio/SKESKv6-decryption.drawio b/book/source/drawio/SKESKv6-decryption.drawio new file mode 100644 index 0000000..5bdafa0 --- /dev/null +++ b/book/source/drawio/SKESKv6-decryption.drawio @@ -0,0 +1,220 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/SKESKv6-decryption.svg b/book/source/drawio/SKESKv6-decryption.svg new file mode 100644 index 0000000..898a5fc --- /dev/null +++ b/book/source/drawio/SKESKv6-decryption.svg @@ -0,0 +1,4 @@ + + + +
Encrypted Message
Encrypted Message
SEIPDv2
SEIPDv2
Salt: 49f8edc3
Salt: 49f8edc3
Ciphertext
Ciphertext
Cipher Algo.
Cipher Algo.
AEAD Mode
AEAD Mode
Chunk Size
Chunk Size
AEAD Auth Tag
AEAD Auth Tag
Passphrase
Passphrase
SKESKv6
SKESKv6
Cipher Algo.
Cipher Algo.
AEAD Mode
AEAD Mode
S2K Identifier
S2K Identifier
IV: 0xC0FFEE
IV: 0xC0FFEE
Enc. Session-Key
Enc. Session-Key
AEAD Auth Tag
AEAD Auth Tag
S2K Function
S2K Function
HKDF
(no salt)
HKDF(no salt)
IKM
IKM
Packet Type ID,
Packet Version,
Cipher Algo,
AEAD Mode
Packet Type ID,...
Packet Type and Verison
Packet Type and Verison
Key Encryption Key
Key Encryption Key
Info
Info
AEAD
AEAD
Packet Type ID,
Packet Version,
Cipher Algo,
AEAD Mode
Packet Type ID,...
Packet Type and Verison
Packet Type and Verison
Salt
Salt
AD
AD
Key
Key
Ciphertext
Ciphertext
Auth Tag
Auth Tag
Session Key
Session KeyText is not SVG - cannot display \ No newline at end of file