ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Reducing the meta-data leak

2015-11-03 06:19:19
On Tuesday, 3 November 2015, Neal H. Walfield <neal(_at_)walfield(_dot_)org> 
wrote:

Hi,

At the IETF 94 OpenPGP WG session, Bryan, if I recall correctly,
suggested that we should try and hide more meta-data.  For instance,
instead of listing the recipients, someone decrypting a message would
try each of their available secret keys in turn.  Werner pointed out
that these probes are a pain for people who use a passphrase protected
key and I mentioned that it is a pain for people who use a smartcard,
in paritcular, those who use more than one smartcard.

What about using a bloom filter for encoding the recipients?  This, of
course, doesn't eliminate the meta-data leak and it can lead to false
positives (= gratuitious passphrase prompts / smartcard prompts), but
it should reduce the metadata leak a fair amount, I think.  Thoughts?


I'm skeptical that we could come up with a set of parameters such that this
provides any real protection.  On the loosest end, you would need to make
it ambiguous enough such that if you tried 'all' the OpenPGP keys you would
get too many false positives for it to be useful. On the tightest end, you
would need to make it ambiguous enough that even if you *had* the list of
the most common conversation partners of a user it would _still_ have too
many false positives to be useful.

And even then, the bloom filter is chosen once and set in stone in the spec
for all users and use cases? It would clearly not fit some of the
situations we expect OpenPGP to be used in.  And I tend to lean towards
more complex protocol options, but even I think user-configurable bloom
filters in every OpenPGP message is going too far...

-tom
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
<Prev in Thread] Current Thread [Next in Thread>