1reop - reasonable expectation of privacy
2
3One of the obvious ideas I (and several others had) as soon as signify
4was released was to extend it to do more. After all, no program is complete
5until it can read email. Or at least munge up your email real bad.
6
7reop
8
9With some curiosity I read Creating the perfect GPG keypair. My conclusion is
10that there’s no such thing has a perfect GPG key pair. And we wonder why
11people leak secrets using hotmail. This shouldn’t be hard.
12
13reop is clearly influenced by signify (What can I say? I like my own designs.),
14but it’s not a clone. Its handling of keys is the most significant difference
15(besides the obvious, more features). Default keys are supported, and you can
16even add all your pals to ~/.reop/pubkeyring and verify their messages
17automatically, just like a normal PGP program.
18
19Supported operations include signing -S and verifying -V messages, plus a
20variety of options for encrypting messages (-D -E). It does everything you’d
21expect a PGP program to do. More accurately, it does everything I expect you
22to expect a PGP program to do. I may be wrong, but it kills me to see people
23reaching for the gpg or openssl hammer of infinite possibilities for the
24simplest of tasks. Limitations below.
25
26There is a (short) manual, of course, but there aren’t so many options that you
27should need to consult it more than once. Usually the short help text should be
28sufficient to get you started. I’ve tried to keep the option mnemonics
29reasonable.
30
31reop -G -i tedu # create tedu key pair
32reop -E -i ralph -m message # encrypt a message for ralph
33reop -D -x message.enc # ralph decrypts my message
34
35I had a short lived plan to support the real OpenPGP standard, but as I was
36scrolling through it, I came across the words “ASN.1 Object Identifiers” and my
37monitor went blank to prevent permanent damage. As it is, reop implements a
38sort of look-alike/feel-alike facsimile of the standard.
39
40Example:
41
42-----BEGIN REOP SIGNED MESSAGE-----
43"So, you're the UNIX guru."
44At the time, Randy was still stupid enough to be flattered by this attention,
45when he should have recognized them as bone-chilling words.
46-----BEGIN REOP SIGNATURE-----
47ident:tedu
48RWS1l0sm+eG0IZ7/JZ7V3Ct584XleF33BQkIiXmHNHjHKWTBZprpVPeiLsCpkRFL1m0y3z7xFBkx
49nzoNVbTELwB932C1rdllJwQ=
50-----END REOP SIGNED MESSAGE-----
51
52A reop key technically consists of two keys (one for signing, one for
53encrypting). The interesting part of a reop public key fits in a tweet
54(the ----- decoration stuff is too much though).
55
56-----BEGIN REOP PUBLIC KEY-----
57ident:tedu
58RWRDU7WXSyb54bQhy9CZ7Qq6kUZMeOkxDeFNDOU/jl6oQp+vfgGbIP9mRinCQ/pnpvqCMjLnDG7I
59I8gMZw/P6zJ+jEaFZX+9pTyCYA==
60-----END REOP PUBLIC KEY-----
61
62You don’t get to pick your algorithms. I pick them (sort of; nacl picked them).
63There is theoretical support for future algorithm changes. In general, reop
64only asks questions that only the user can answer, and which the user should be
65able to answer. Fewer features -> fewer feature options -> fewer commands to
66edit, adjust, and otherwise tweak those options.
67
68security
69
70I’m guessing you’d rather hear about the fun crypto bits than my infallible
71programming skills.
72
73All the crypto comes from nacl (indirectly via libsodium). Specifically,
74reop uses crypto_sign (Ed25519), crypto_box (Curve25519, Salsa20, and Poly1305)
75and crypto_secretbox (Salsa20 and Poly1305). I have not personally vetted these
76functions. Internet told me they were safe.
77
78One thing to note is that the crypto_box construction may not behave
79like other public key encryption schemes you are familiar with. It takes two
80key pairs; the receiver’s public key as expected and the sender’s secret key,
81which offers a measure of authentication.
82
83What the nacl documentation doesn’t really make clear is that same set of keys
84used for encrypting work for decrypting (i.e., it’s not asymmetric). For
85instance, if Alice, sending a message to Bob, encrypts with secAlice and
86pubBob, that would normally be decrypted by Bob with pubAlice and secBob. But
87secAlice and pubBob work just as well to decrypt. If you were expecting to
88encrypt some secret with a public key and then have that computer “forget” how
89to access the secret, that won’t work.
90
91reop used to work around this half-assedly. Now the workaround is at least
923/4-assed. An ephemeral key is generated. The meat of the message is encrypted
93with secEph and pubBob. Then secEph is discarded. Now only pubEph and secBob
94can decrypt. To authenticate the message, we encrypt pubEph with secAlice
95and pubBob. Bob can authenticate the message with secBob and pubAlice, but he
96could also have forged the message, giving Alice deniability.
97
98This is something like what Noise Boxes would do, but which pub keys get
99encrypted are swapped. (reop doesn’t hide sender identity.)
100https://github.com/trevp/noise/wiki/Boxes
101
102While it's possible to do things the other way around and try to provide
103sender confidentiality, I'm not sure it's a good fit for reop. It doesn't
104align with how the tool is likely to be used, and sender identity will most
105likely leak some other way. Better IMO to simply not make that promise.
106
107Nonces, where necessary, are generated randomly.
108
109[The next two paragraphs are a little dated;
110 reop is using libsodium wrappers now.]
111
112The nacl functions are all accessed via wrappers, very similar to the C++
113wrappers. The C nacl API requires the caller to provide padded buffers
114(i.e., ciphertext, auth tag, and zeroed scratch space all contiguous in memory),
115which is somewhat inconvenient for a program like reop. As a result, more
116memory is allocated and data copied than strictly mathematically necessary.
117Additionally, nacl has a “packet” interface, not a “stream” interface, which
118imposes some other limits on message size, but for most practical purposes it
119should be fine.
120
121It’s unfortunate, but I think nacl is the closest I’ve ever seen to a software
122interface that is perpendicular to the rest of the program. For a program that
123is essentially a CLI for nacl, reop spends considerable effort making sure that
124things are just so. The ZEROBYTES vs BOXZEROBYTES nonsense is just this side of
125ridiculous.
126
127limitations
128
129There’s no support for key revocation, or long chains of certificates, or
130partial trust, or key servers. For the most part, I think this is feel good
131wankery that doesn’t accomplish as much as one would like. I wonder how many
132people have ever revoked their PGP keys to see how it works in practice. The
133reop trust model is very simple. You can probably even understand it.
134
135Keys don’t expire. If we expand the scope of inquiry slightly to TLS certs,
136I’ve lost count of the problems I’ve seen caused by prematurely expiring certs.
137Number of times an expired cert has saved my ass? Zero. This is arguably
138shortsighted, I know.
139
140You can’t embed a JPG selfie into reop keys. Not even a tiny one.
141
142reop doesn’t include a Tempest resistant font for viewing top zecret messages.
143
144code
145
146Should build most where, if you pick the right Makefile. Uses libsodium.
147
148I have endeavored to keep the code modular, such that it could be used in a
149library, but this is generally thwarted by the knowledge that top-level code
150has the privilege of simply giving up when things don’t go its way.
151Returning error codes -> having to check error codes.
152
153I’m not enamored with the parsing code. Too much pointer banging.
154
155