|
| 1 | +Encryption and IPLD, 2021 |
| 2 | +========================= |
| 3 | + |
| 4 | +This is an exploration report about the role and relationship of encryption relating to IPLD, |
| 5 | +gathering some thoughts and recent updates in early 2021. |
| 6 | +It's meant to be useful as a reference piece for further discussion at this time. |
| 7 | + |
| 8 | +This document takes input from tons of people. |
| 9 | +It's written by warpfork in the immediate aftermath of close conversation with Mikeal, |
| 10 | +but also has tons of input from Carson of Textile (via the 2021.01.11 IPLD Weekly meeting), |
| 11 | +and also draws on other notes exchanged over time with project such as the Ceramic Network, 3Box, Peergos, Qri, and others. |
| 12 | +(Even if you don't see your name here, it's likely you've contributed something -- |
| 13 | +this topic has just been a long time brewing, so attributing all inspirations completely is now hard!) |
| 14 | +Thank you to all these folks for their efforts. |
| 15 | + |
| 16 | + |
| 17 | +Overview |
| 18 | +-------- |
| 19 | + |
| 20 | +People frequently want to implement encryption as part of decentralized systems. |
| 21 | +So, it's no surprise that it's also frequent that people want a story for how encryption and IPLD should interact. |
| 22 | + |
| 23 | +For a long time, IPLD has been agnostic to any sort of encryption. |
| 24 | +(We've been afraid of doing a _wrong_ thing and baking it into specs.) |
| 25 | +Instead, we've asked that people using IPLD figure out how to compose IPLD and encryption on their own. |
| 26 | +It may now be time for this to change, as we gather lots of input from the community. |
| 27 | + |
| 28 | +In this document, we're going to cover three major topic groups: |
| 29 | + |
| 30 | +- 1. A proposal for encryption primitives in IPLD, and a plan for how to use multicodec indicators for encryption! |
| 31 | +- 2. A section about usage conventions we see which have repeatedly emerged, and seem useful, and thus now seem worth identifying and creating vocabulary for. |
| 32 | +- 3. A section for gathering notes about use cases, tradeoff notes, and general cautions about general applied cryptography. |
| 33 | + |
| 34 | +Comments and feedback on each of these topic groups are welcome. |
| 35 | + |
| 36 | +At the end of this document, _we will still expect IPLD to be agnostic to encryption_ in the sense that you can bring your own concepts and layer them in IPLD as you please, |
| 37 | +but we _may_ also have some ideas for cryptographic primitives we might give some extra support and coordination for. |
| 38 | + |
| 39 | + |
| 40 | +Encryption Codecs |
| 41 | +----------------- |
| 42 | + |
| 43 | +The IPLD team is now considering encryption which is signaled by multicodec indicators |
| 44 | +(and thus works anywhere CIDs are used), |
| 45 | +and works in the natural way an IPLD codec is expected to work. |
| 46 | + |
| 47 | +(This is a big change in stance. |
| 48 | +Previously, we've considered it unclear whether codecs are the right place for this.) |
| 49 | + |
| 50 | +There's a couple of details about how we expect this to work which are recent realizations, |
| 51 | +and so this document might be nearly the first description of them: |
| 52 | + |
| 53 | + |
| 54 | +### encryption codecs use multicodec indicators |
| 55 | + |
| 56 | +As stated in the summary above: encryption will use multicodec indicators. |
| 57 | + |
| 58 | +This means we'll reserve new numbers in the multicodec table. |
| 59 | +We'll expect to see values like "AES-GCM" appear in the same table as "DAG-CBOR". |
| 60 | + |
| 61 | + |
| 62 | +### encryption codecs are still codecs of the usual contracts |
| 63 | + |
| 64 | +Codecs which do encryption will look like regular IPLD codecs. |
| 65 | + |
| 66 | +What does this mean? Well, in our recent improvements to formalizations, we now describe a codec as |
| 67 | +the operation "decode" -- `function (rawByteStream) -> (ipldDataModelNode | error)` -- |
| 68 | +and the operation "encode" -- `function (ipldDataModelNode, writeableBytestream) -> (error)`. |
| 69 | +(Loosely. This is psuedocode, not any particular programming language.) |
| 70 | + |
| 71 | +(Okay, what did _that_ mean? ;) ...I'll do it again in plain language.) |
| 72 | + |
| 73 | +The key detail that is important for IPLD's soundness is: |
| 74 | +the encoded data stream must be transformable to a "node" -- which must be describable _entirely_ and _purely_ by the IPLD Data Model -- |
| 75 | +and then back again, from that "node" to an encoded data stream. |
| 76 | + |
| 77 | +Okay, background established. Now: why does this matter to encryption? |
| 78 | + |
| 79 | +Two reasons: |
| 80 | + |
| 81 | +- that contract means *no additional parameters* are allowed. So, for encryption, it means keys don't -- *can't* -- enter into this yet. |
| 82 | +- that contract means we always have to be able to transform the encoded form into *something*. |
| 83 | + |
| 84 | + |
| 85 | +#### encryption codecs are defined as destructuring ciphertext |
| 86 | + |
| 87 | +... *not* as yielding cleartext. This may be unintuitive, but is important. |
| 88 | + |
| 89 | +First, an example: many encryption schemes have two components in their ciphertext: |
| 90 | +some sort of "initialization vector" (commonly known as an "IV"), which is a number unique to that ciphertext; |
| 91 | +and then the ciphertext body itself. |
| 92 | +So, for such an encryption scheme, the relevant IPLD codec would probably produce a _map_, matching this schema: |
| 93 | + |
| 94 | +```ipldsch |
| 95 | +type CodecResult struct { |
| 96 | + iv Bytes |
| 97 | + body Bytes |
| 98 | +} representation map |
| 99 | +``` |
| 100 | + |
| 101 | +(The actual serial form may look like anything it wants (likely, some binary length-prefixed format), |
| 102 | +because that's the responsibility of the codec implementation to define; |
| 103 | +this small schema just describes the Data Model view we might expect to be yielded.) |
| 104 | + |
| 105 | +This is neat in several ways: |
| 106 | + |
| 107 | +- It means that processing the data into Data Model is always *defined* -- even if you don't have key material. |
| 108 | + - This in turn means IPLD Selectors, and all sorts of other stuff, *work normally* over encrypted data. |
| 109 | + (Not over the cleartext, obviously -- then the encryption wouldn't be doing much, would it? |
| 110 | + But their operation is *defined*, so they can be used safely and predictably.) |
| 111 | +- It means we have a way to access the ciphertext. |
| 112 | + - ... That may not sound like a big deal, but it's been a weird and interesting buggaboo in a lot of other previous proposals about how to fit encryption into IPLD. |
| 113 | +- It means we don't have to solve the problem of how to get key material into a codec. |
| 114 | + - This is a big deal because it means, well, a bunch of our abstraction layers in IPLD don't... uh, shatter. Good. |
| 115 | + |
| 116 | +Okay, but how do we get to cleartext then? Let us proceed to the next section! |
| 117 | + |
| 118 | +#### getting to cleartext when using encryption codecs involves feature detection |
| 119 | + |
| 120 | +Encryption codecs in IPLD libraries will have extra methods on them, and support some kind of "feature detection" to advertise this. |
| 121 | +Those additional methods will accept key material as a parameter, and return an IPLD Data Model Node... of the *cleartext*. |
| 122 | +(E.g., the "node" returned here, and the "node" returned by the codec alone, will be *very* different data.) |
| 123 | + |
| 124 | +How exactly this looks will vary by langauge and library implementation; |
| 125 | +different languages will have different idioms for doing feature detection. |
| 126 | + |
| 127 | + |
| 128 | +### key management is out of band |
| 129 | + |
| 130 | +Keys still need to be supplied to the encrypt and decrypt methods of an encryption codec when they are used. |
| 131 | +This key supply and management is something that must be handled "out of band". |
| 132 | + |
| 133 | +We don't have a total strategy for automatic application of keys in large graphs. |
| 134 | +And we probably won't, either. |
| 135 | +We expect that most applications using cryptography will have some key management strategy that is unique to them, |
| 136 | +and will probably _not_ want their IPLD library dictating anything about key management. |
| 137 | +(For example, many complex applications using cryptography may involve key derivation strategies, |
| 138 | +which can even be content or data-organization aware -- we cannot possibly specify such things in IPLD; we need to just accept instructions on that.) |
| 139 | + |
| 140 | +IPLD will be open to future work on library functions for how to handle key management in practice. |
| 141 | +If we can find sufficiently common patterns, they may be worth library features. |
| 142 | +However, we should be comfortable understanding that there may actually not be single answers to key management, |
| 143 | +and the number of features relating to it that belong in IPLD libraries might be correspondingly minimal. |
| 144 | + |
| 145 | + |
| 146 | +### encryption codecs can be used recursively |
| 147 | + |
| 148 | +TODO (this emerges fairly naturally but deserves comment and example) |
| 149 | + |
| 150 | + |
| 151 | +### limitations of this approach |
| 152 | + |
| 153 | +#### double hashing |
| 154 | + |
| 155 | +This approach is roughly "mac-then-encrypt-then-mac" (if you're from the era of crypto education which called things "MAC" rather than "MIC" (which would make much more sense (but, I digress))). |
| 156 | + |
| 157 | +In other words: we hash things twice, and one of the hashes ends up in the output data body (because it's inside the ciphertext). |
| 158 | + |
| 159 | +There's nothing wrong with this (it's certainly cryptographically sound!); it's just slightly excessive and does spend a few bytes. |
| 160 | + |
| 161 | +#### selectors don't work over cleartext |
| 162 | + |
| 163 | +Because these codecs don't immediately yield cleartext, selectors applied to data yielded from these codecs won't be working on the cleartext either. |
| 164 | + |
| 165 | +_However_, this isn't necessarily a big problem, and we actually have a good remedy available: |
| 166 | +_ADLs could still be composed with this approach._ |
| 167 | +An ADL could handle the key management issues, |
| 168 | +use the codec which is only yielding ciphertext internally (e.g. these nodes would be the ADL "substrate"), |
| 169 | +apply the decryption, and then yield the cleartext as the ADL's output. |
| 170 | +Traversals, selectors, and all the other goodies that are expected to work on IPLD Data Model Nodes could then continue to work upon this data. |
| 171 | +(The key management problem has merely been pushed around, arguably, but critically, it's been pushed out of the area from where multicodec constraints made it unsolvable.) |
| 172 | + |
| 173 | + |
| 174 | + |
| 175 | +Conventions and Usage Patterns around Encryption in IPLD |
| 176 | +--------------------------------------------------------- |
| 177 | + |
| 178 | +General notice: there are not single solutions to how to compose crypto systems. |
| 179 | +Many tradeoffs exist in design of applications using encryption. |
| 180 | +In some situations, metadata and size and access pattern concealment don't matter; |
| 181 | +in others, they're critically important, and an infinite amount of performance penalty is an acceptable trade. |
| 182 | +We can't make these decisions for applications. |
| 183 | +In this document, we'll limit our scope to talking about patterns that we've seen, |
| 184 | +and building some vocabulary around them, and sharing the ideas that seem to have good results. |
| 185 | + |
| 186 | + |
| 187 | +### Desirable traits |
| 188 | + |
| 189 | +Some frequently identified desires when working with encrypted data include: |
| 190 | + |
| 191 | +- ability to use "pinning" services without special integrations or disclosure of key material |
| 192 | +- ability to tersely identify subtrees, e.g. for purposes such as network transfer |
| 193 | + |
| 194 | +These are things which are well-provided for when using IPLD without encryption, |
| 195 | +but require some additional design when using IPLD with encryption, since the link structure of documents is generally itself encrypted. |
| 196 | + |
| 197 | +Mind: these goals are complicated: if they didn't require information that is _encrypted_, they wouldn't be worth special mention in the first place. |
| 198 | +It's very important to be sure you also consider the [cryptography caveats](#introduction-to-cryptography-caveats) when working with these goals. |
| 199 | + |
| 200 | + |
| 201 | +### Pattern: Cleartext Manifest over CIDs of Encrypted Data |
| 202 | + |
| 203 | +Key concepts: |
| 204 | + |
| 205 | +- All content is encrypted at block level (using the systems described in the [Encryption Codecs](#encryption-codecs) section) (so, we have a set of CIDs, all of which have a multicodec indicator that indicates some kind of encryption codec). |
| 206 | +- We still want to be able to pin the whole set, or fetch the whole set using one query. |
| 207 | + |
| 208 | +The solution to this is pretty clear: we want some merkle tree of cleartext IPLD objects, and that tree should just link to the encrypted data CIDs. |
| 209 | + |
| 210 | +#### manifest tree structure can be any form |
| 211 | + |
| 212 | +An interesting trait of the manifest pattern is that to provide its key benefits -- |
| 213 | +e.g. being able to refer to the whole set of data at once -- |
| 214 | +it doesn't actually _matter_ exactly _what_ tree structure or layout algorithm is used. |
| 215 | + |
| 216 | +HAMTs or Chunky Trees can both be used; or for small enough data, a plain map in a single block. |
| 217 | +Anything that reaches the goals works; there's little or no need to standardize on this. |
| 218 | + |
| 219 | + |
| 220 | + |
| 221 | +introduction to cryptography caveats |
| 222 | +------------------------------------ |
| 223 | + |
| 224 | +Designing cryptographic systems is _tricky_ -- to put it mildly. |
| 225 | + |
| 226 | +We can't always offer complete systems and complete guidance to cryptographic work. |
| 227 | +What we can do in IPLD is offer some components and, sometimes, some patterns of suggested use. |
| 228 | +How to put those things together (and do so safely) is still fundamentally the responsibility of the application developer. |
| 229 | + |
| 230 | +We also can't provide a complete introduction and set of coursework on how to compose cryptographic systems! |
| 231 | +Those are educational resources you'll need to find access to elsewhere if you haven't gotten it already. |
| 232 | + |
| 233 | +With all those caveats made, though, we'd like to offer a few pointers to topics you should at least be aware of. |
| 234 | +These topics are also especially relevant to the combination of encryption and IPLD because of how they involve tradeoffs |
| 235 | +(and, some of those tradeoffs are things that inform *why* we don't move certain kinds of features into IPLD specs -- it's because there's more than one way to go about it). |
| 236 | + |
| 237 | +### access patterns of ciphertext can leak hints about the cleartext |
| 238 | + |
| 239 | +// more description of this would be welcome |
| 240 | + |
| 241 | +### size of ciphertext may leak hints about the cleartext |
| 242 | + |
| 243 | +// more description of this would be welcome |
| 244 | + |
| 245 | +### these are example headings, not an exhaustive list |
| 246 | + |
| 247 | +// it's unclear how much we should offer a primer in cryptography |
| 248 | + |
| 249 | + |
| 250 | + |
| 251 | +Postscript: What Actually Happened |
| 252 | +---------------------------------- |
| 253 | + |
| 254 | +The conversation about encryption and its relationship to IPLD is probably still not finished |
| 255 | +(but this document is, because as an exploration report, at some point, we call it done; and if the conversation continues, it'll be with a new document). |
| 256 | + |
| 257 | +Encryption discussion is still ongoing in PRs: |
| 258 | +in particular, in https://github.com/ipld/specs/pull/349#issuecomment-763901167 it seems we may be backing away from making multicodec indicators do double-duty, |
| 259 | +and instead using a single multicodec indicator to describe a codec that handles the ciphertext in a standard way, |
| 260 | +then creating a new numeric 'code' field for indicating which cipher mechanism is used, and putting that 'code' field in the codec that's handling the ciphertext. |
| 261 | + |
| 262 | +It will probably remain the case that there will be more than one way to go about encryption when working with IPLD. |
0 commit comments