[Cryptography] How should we encrypt external mail attachments

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Aug 2 20:28:20 EDT 2021


Michael Kjörling <michael at kjorling.se> writes:

>Considering that e-mail itself is unauthenticated to begin with, thereby
>giving a potential adversary the ability to tamper with the external-
>reference data just as well as any other part of the message body,

A large majority of email today goes over TLS (in the form of STARTTLS, or
just purely TLS-only links), so it's actually relatively protected.
"Relatively" because the other side will trust any cert from any CA anywhere,
but it's not quite as easy to tamper with as you imply.

>you might want to very strongly consider using, or at the very least
>supporting, multiple hashes formatted in some standardized manner, instead of
>mandating any one hash algorithm in particular.

No, please don't.  This leads to the XML mess where there's a million
different algorithms and modes and all of them provide the freedom to get them
completely wrong in dozens of ways.  Apply Grigg's Law, "There is only one
mode and that is secure".  Embedded key -> HKDF -> AES+HMAC should do what you
need and leave little ambiguity for flaws.

Peter.



More information about the cryptography mailing list