Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update existing source reply keys to prevent leaking timing information #3995

Open
garrettr opened this issue Dec 17, 2018 · 1 comment
Open

Update existing source reply keys to prevent leaking timing information #3995

garrettr opened this issue Dec 17, 2018 · 1 comment

Comments

@garrettr
Copy link
Contributor

Description

Follow-up to #3912, specifically #3912 (comment) and subsequent comments.
@garrettr garrettr mentioned this issue Dec 17, 2018
Merged
1 task
@garrettr
Copy link
Contributor Author

There are (at least) two sources of sensitive timing metadata in GPG keys that we would like to obfuscate: the creation date and the expiration date. Initially, I was hoping we could just update the metadata of the existing keys, because I knew the expiration date may easily be changed with gpg --edit-key if one can access the private key. Unfortunately, some Internet research suggests the creation date cannot be changed.

I think that leaves us with the following possible, though slightly more complex, approach:

  1. When a source logs in, check to see if their reply key ought to be replaced (e.g. has an expiration date, does not use the fixed creation date).
  2. Generate a new reply key that does not leak timing metadata.
  3. Use the old reply key to decrypt all of their currently stored replies.
  4. Re-encrypt them with the new reply key
  5. Delete the old reply key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@garrettr