It's unclear from the article if this is the same implementation age uses.
Signcryption schemes are also a good candidate algorithm for replacing JWTs and PASETO as they suffer from no algorithm confusion, and don't need what PASETO calls "Algorithm Lucidity" and serve both plaintext authentication, authenticated encryption, sender receiver verification, and shared key generation that can be used for unlimited encrypted streaming, for example with libsodium's crypto_secretstream API.
The hypothetical I want to pose people is, let's say your server is corrupted or I.pacted by ransomware. So you pull your gpg backups and hit restore. The data somehow looks correct and in line with expectations, but the signature fails to verify.
You can say 'well I know there was tampering, or possible one bit of bitrot' but then what? Let's say my backup was a poatgresql backup that restored correctly and had no obvious issues.
People often state backups mist be signed but just not sure how you would even respond. You cannot just not use the backup if all your backups are the same and you just had an incident. You could say "now we don't trust the data" but again what is meaningful action here?
Is it really a plausible threat that an attacker wiped put production, gained access to your backup infrastructure, but instead of just wiping it in order to force you to pay a ransom they took a new backup and quietly modified it? Surely such a person would just modify production if they wanted such a game.
For me, it's about uploading files to the "cloud" such as Google Drive or Github and wanting to make sure that the data I uploaded is the same data that I am getting back. If the signatures fail I could unpack the file and manually review them to see what's up.
In your case, I think the problem is having backups that are attackable from production, and likely only having one set of backups.
>You cannot just not use the backup
What would you do if instead of tampering with the backups or production they just deleted everything outright?
If I pulled a backup and it looked like it had been tampered with, I wouldn’t use the backup. Using a medium that protects against bit rot for backups, and testing the backups often enough to notice if they’ve been tampered with or malformed, are both key tenets of production systems.
I have considered switching from GPG to age quite a lot, but I mostly use GPG for file encryption so this issue was a deal breaker for me. I did consider signing the encrypted backups with minisign, but then I needed two unrelated key pairs to safely access my backups instead of just one.
Is there a specific argument you found unconvincing? I thought this was a very well-written summary of (1) why age doesn't provide authenticated encryption by default, (2) how you can do authenticated encryption with age, and (3) why age won't make "simple" authenticated encryption simpler.
Edit: I forgot to point out: GPG does sign-then-encrypt, which has a potential failure mode that the post notes (i.e., that your recipient retains your signature, and can encrypt-and-forward it to any additional recipient they please.)
>...that your recipient retains your signature, and can encrypt-and-forward it to any additional recipient they please.
So just like signatures made on paper? You can take a signed paper document and put it in an envelope and send it anywhere you want. What is wrong with that? It is what someone living in this world would normally expect. We need more things that work as expected, not less...
In most countries that's called "forgery." You can't pass of someone's signature, even if it's authentic, in a context they did not intend.
(It should be obvious why it's illegal, and what's wrong with it -- nobody wants bank accounts opened in their name by unrelated parties. You should then be able to reason by parallel as to why it's not a desirable property in a cryptosystem.)
>...nobody wants bank accounts opened in their name by unrelated parties.
How could you possibly open a bank account with someone's random signed document? A signature on paper identifies who signed it. That is the point. So a bank receiving a paper or PGP message that says "Please open an account" signed by Bob is somehow going to end up opening an account for someone else?
I think you might of gotten the "surreptitious forwarding" issue backwards. The issue is that you might think a signed message is to you when it was actually sent to someone malicious who then forwards it on to you. My point is that this issue is already well understood in our present civilization and doesn't need some sort of technical fix.
For the bank example, the bank you sent your strangely generic request for an account to would have to take that request and send it to another bank. So now you would end up with two accounts and on trivial investigation would know exactly what happened.
Bringing this back to age, the bank would get an unsigned request for an account and would have no way to know who originated it.
> How could you possibly open a bank account with someone's random signed document? A signature on paper identifies who signed it. That is the point.
The normal examples are surreptition and impersonation:
* I could include your bank statement in the stack of physical documents reviewed for a new account. An overworked banker might miss the different name, or different signature, and treat it as another legitimate item for me when it’s a legitimate item for you. After all, it’s signed and legitimate looking.
* More interestingly, I can just pretend to be you. If you don’t already have an account with the bank, I can give them my phone number and address instead. I have your signed document!
The latter is how a lot of account fraud actually happens, and maps to PGP’s failure to provide strong identity through the “web of trust.” See, for example, people “verifying” email signatures by just looking the “right” key up on a keyserver.
Emphasis on “pass off”: it’s not forgery to present the original document for its original purpose. It would be forgery to modify the document or to present it in a way or context that implied some other purpose.
I use Gpg heavily, no reason to change (well, unless perhaps Age provides ChaCha-20 Poly1305 with 256 bits file keys not 128, and someone creates a good backup software with it).
https://github.com/jedisct1/libsodium-signcryption
It's unclear from the article if this is the same implementation age uses.
Signcryption schemes are also a good candidate algorithm for replacing JWTs and PASETO as they suffer from no algorithm confusion, and don't need what PASETO calls "Algorithm Lucidity" and serve both plaintext authentication, authenticated encryption, sender receiver verification, and shared key generation that can be used for unlimited encrypted streaming, for example with libsodium's crypto_secretstream API.
https://doc.libsodium.org/secret-key_cryptography/secretstre...
https://github.com/paseto-standard/paseto-spec/blob/master/d...