[Cryptography] How should we encrypt external mail attachments
Michael Kjörling
michael at kjorling.se
Mon Aug 2 15:20:21 EDT 2021
On 1 Aug 2021 14:59 -0400, from johnl at iecc.com (John Levine):
> We already have PGP and S/MIME and STARTTLS to deter snooping on mail
> so there's no need to reinvent them.
>
> My question is what algorithms to use? The file can be anything up to
> several gigabytes so they should be reasonably fast. It's OK if the hash
> and key are fairly large, since a few hundred or even a few thousand
> bytes in a mail message is not a big deal these days.
Considering that e-mail itself is unauthenticated to begin with,
thereby giving a potential adversary the ability to tamper with the
external-reference data just as well as any other part of the message
body, is there any particular reason not to go with the simple
solution of just about any cryptographic hash?
I haven't looked at the RFCs you reference, but if you're putting a
cryptographic hash of any kind in there (which IMO seems like a very
good idea especially in today's environment), you might want to very
strongly consider using, or at the very least supporting, multiple
hashes formatted in some standardized manner, instead of mandating any
one hash algorithm in particular. That would allow transitioning away
from weak ones the day we realize that, say, SHA2-512 is terribly
insecure, and it could allow implementations to choose which hashes to
generate and verify based on evolving criteria, local criteria (such
as hash performance on the specific platform) and local policy (such
as to, say, treat anything that doesn't use at least two different
hash functions as unauthenticated and thus subject to extra scrutiny).
Once you specify the file size and 2-3 cryptographically strong hashes
for the content, even if one of the hash algorithms turn out to be
weak, finding a simultaneous collision for all is still going to be a
good bit (no pun intended) more difficult.
Personally, I'd probably go for long hashes from something like SHA-2,
SHA-3 and BLAKE2; being modern, reasonably well studied, and of
different designs should reduce the risk of any particular future
attack impacting all of them; but I'm not particularly familiar with
the current literature.
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
More information about the cryptography
mailing list