[Cryptography] Encoding Key Identifiers in email addresses

Tue Oct 15 13:43:53 EDT 2013

I was noodling round with the problem of how to force an existing client to
do the right thing with respect to encryption. One option is to have an
email gateway do opportunistic encryption if it can find a key. Which is OK
but lacks user control.

I don't like the idea of user control coming from the UI because I have to
let the user make use of any email client they like, even ones that can't
cope with top posting. So I can't assume that there will be buttons to
press to say 'encrypt this message'. And that is not what I want in any
case.

What I probably want is the ability to force use of end-to-end encryption
for a small number of users like my clients, the lawyers, various crypto
folk. Something like the https scheme for SSL.

This is what I came up with (cut and pasted from the manual):

Private Key Example

Alice uses a key generation tool to generate a public keypair. The public
parameters in hexadecimal are:

Modulus  :
 db 13 46 62 02 6d c3 4b 98 24 e1 f9 a8 ca 61 3a
 3f 95 f3 d6 c0 45 5a fe 2d be 1d d7 76 d5 95 02
 f4 f9 1b 42 b5 7f 3b 14 f5 79 4c 34 f3 9f 04 07
 ba d2 52 30 dd 61 b3 4a 56 db 4b 12 b7 8b 87 55
 23 39 3a f5 a1 f0 6d 10 4e e8 bb 08 9f b0 66 92
 20 47 20 b4 77 4d 89 a6 58 a2 01 da 05 54 36 1b
 47 3e e0 dc 0b 4e 53 c1 c3 7d cd cf f7 b3 bf 7e
 45 38 5c 0c 0c 13 33 bb c7 da e6 c1 7d 37 f3 99
Exponent :
 01 00 01

The Key Identifier is calculated using SHA512 and truncated to 224 bits to
produce the Key Identifier value. The Key Identifier in Base32 encoding is:

KeyIdentifier: ACACEA-H7MBAA-LAA2RMA-FUAAFQ-AADHAHS-KNAL3A-DPZJAJ-KAA

An email sender may send email to Alice through a compliant gateway as
follows: alice at example.com Send email to Alice using encryption if and only
if an encryption key for Alice can be found and Alice has published the
email encryption policy 'encryption preferred' or stronger. ?
alice at example.com Send email to Alice using encryption if and only if an
encryption key for Alice can be found, otherwise report an error.
ACACEA-H7MBAA-LAA2RMA-FUAAFQ-AADHAHS-KNAL3A-DPZJAJ-KAA?alice at example.com Send
email to Alice using encryption if and only if an encryption key for Alice
can be found that is directly endorsed under the specified key, otherwise
report an error. ACACEA-H7MBAA-LAA2RMA-FUAAFQ-AADHAHS-KNAL3A-DPZJAJ-KAA??
alice at example.com Send email to Alice using encryption if and only if an
encryption key for Alice can be found that is (directly or indierectly)
endorsed under the specified key, otherwise report an error.

We can reduce the length of the key identifier from the 224 bits above to
128 bits if it is a personal key identifier.

In the scheme I am thinking of, the key identifier would be either a PGP v4
key or the hash of the PKIX PublicKeyInfo blob in DER format with an
algorithm identifier plastered on the front.

I am trying to work out how to do the truncation securely using standard
crypto libraries that don't allow the initial IV to be set. (The NIST
approach is broken in that regard).

-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131015/52663b68/attachment.html>