Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP Cleanups based on review feedback #27

Closed
wants to merge 1 commit into from
Closed

Conversation

rfk
Copy link
Contributor

@rfk rfk commented May 23, 2019

I finally made the time to go through Martin's feedback in mozilla/application-services#1068 (comment) and I have a few suggested cleanups in progress. First though, I wanted to make sure I understood the scope and intention of everything in this crate, so I started with trying to flesh out the README.

@eoger @jrconlin, does this sound about right so far?

@rfk rfk force-pushed the crypto-cleanups branch from 74dfb9a to bbdb0f7 Compare May 23, 2019 10:09
Copy link
Contributor Author

@rfk rfk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also wonder if I should put this in lib.rs so that it winds up on the docs by default, not sure what the right convention is there.

[RFC8188](https://tools.ietf.org/html/rfc8188)
* `aesgcm`: the draft scheme described in
[draft-ietf-webpush-encryption-04](https://tools.ietf.org/html/draft-ietf-webpush-encryption-04) and
[draft-ietf-httpbis-encryption-encoding-03](https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-03_)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to track down the specific specs, which includes both ECE and WebPush. Did I find the right ones? (In particular, are these the right draft numbers for the draft specs? I reverse-engineered which draft to link based on the details of how the code currently behaves).

The sender can encrypt a Web Push message to the receiver's public key:

```
let ciphertext = ece::encrypt(pubkey, auth_secret, b"payload")?;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I propose we remove the salt argument from this function, since it seems like a footgun we can easily help the caller avoid by just generating a fresh random salt each time. (So I did so pre-emptively in the docs here)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fair enough. The salt is mostly a legacy thing now with the sunset of aesgcm. If we have this default to using aes128gcm for encryption/decryption then there's no problem.


* We do not implement streaming encryption or decryption, although the ECE scheme is designed to permit it.
* The application cannot control what padding is apply during encryption; we randonly select a length of padding to add
during encryption, but the RFC suggests that the best choice of strategy [is application-dependant](https://tools.ietf.org/html/rfc8188#section-4.8)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to add more explanation about how the padding thing works but I don't really understand it - are we just randomly selecting some length to pad to? I wonder if we should give the caller control over that rather than doing it behind the scenes.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The padding is mostly there to obscure the length of the actual data, with the provision that a minimum set be present. There's concern that left to the application, no padding is used which could compromise the encryption (as noted in the spec). I'll add that we don't currently support multi-segment messages, so it could be a bit easier to predict payloads if no (or consistently sized) padding is used. Using a randomized padding size like this does kind of remove a footgun.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanation.

I expect there are better things we could do than "random padding" here, such as bucketing to the nearest power of 2. IIUC the problem with adding random noise is that it's easy to remove when doing statistical analysis, you just have to collect a greater volume of traffic. But we can explore that in followups.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me.

Also nit on line 84: s/apply/applied/

@rfk
Copy link
Contributor Author

rfk commented Mar 18, 2021

Closing in favour of #52

@rfk rfk closed this Mar 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants