Re: [Cfrg] Streaming AEAD
David Jacobson <dmjacobson@sbcglobal.net> Tue, 25 February 2014 16:36 UTC
Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A9A71A046A for <cfrg@ietfa.amsl.com>; Tue, 25 Feb 2014 08:36:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TtvlTUxiQvjz for <cfrg@ietfa.amsl.com>; Tue, 25 Feb 2014 08:36:10 -0800 (PST)
Received: from nm4.access.bullet.mail.gq1.yahoo.com (nm4.access.bullet.mail.gq1.yahoo.com [216.39.62.35]) by ietfa.amsl.com (Postfix) with ESMTP id 9A5B31A015A for <cfrg@irtf.org>; Tue, 25 Feb 2014 08:36:10 -0800 (PST)
Received: from [216.39.60.167] by nm4.access.bullet.mail.gq1.yahoo.com with NNFMP; 25 Feb 2014 16:36:09 -0000
Received: from [67.195.22.119] by tm3.access.bullet.mail.gq1.yahoo.com with NNFMP; 25 Feb 2014 16:36:09 -0000
Received: from [127.0.0.1] by smtp114.sbc.mail.gq1.yahoo.com with NNFMP; 25 Feb 2014 16:36:09 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1393346169; bh=s4TWbxcj6cmTBk2WBttgswrK/bKOAmkOElpThpod66A=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=pUQ+ER7lP51ZGL9Sj7pxJm/DekPeL+jL87z/pEcFcDtzJ0rNWvzc/rpPYyatnKxs7HbXI9D1Ulu0nJ2Xk/aApAaD7b4b0hXFX7RgFi+QU2JmhaNTWLmzx0S5a9ta396jVxy6xsQXWXjNVz+H8C+HXj0vAtRfcltUbyac8oIs5dI=
X-Yahoo-Newman-Id: 627091.30294.bm@smtp114.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: AtFX9qAVM1n7.wEK7MCn7GCTQJf56ouw_.gJeqyx.KC6BM6 rjEHtLiOdMoYAFV0cBvr0O0TonRJZ9PBhonDZ9tbJS.z1M1gP_cuD1VWFSWx EqEU2oD3lQzpcVqEc7xhDoEMWy.wz8eXFs9Ha7PcCywQnO_4LcqSK3r06Sji Fe0OO.1Jh0frXc21SuuAcxr8f.pQqMqArFsHRlGOiZWbFbVLExfpvNxY5iki .J0acq1d6JLFJiLMIcFq9iMJ91lluJOs.UoUdrjuf7eByBIux6kmmWEIqciy rB6CXMGDsVZrWqQj8F4nj7AVdy_c09Yefth9fXy8lUXmYCrnebSdQSnYlCIY zTimzC5x88a2qmXsQP2Q9s8LGd915GR.CgmcZbSx.OqE.L7aAng1HTALfvwA iij6Nw1AQB1grd2TqiVK0OB9tfuJyxg53pQx9rNcYDXCEo5MOirmstg8qPUT H4PI1fwJwA03ZCYNOfi91cbNJ0jL89BlA.Ui4vQpTGS3Sjd5LDgT9mHGQUa0 NwkkXiogf6M039M5mdKHAF53vQNwYSLjgtyv98IamuGyrhd00FCIUaKzbBlu _VAD8M1F5L97IPm1o
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
X-Rocket-Received: from [192.168.1.64] (dmjacobson@99.120.97.155 with plain [67.195.15.5]) by smtp114.sbc.mail.gq1.yahoo.com with SMTP; 25 Feb 2014 08:36:09 -0800 PST
Message-ID: <530CC678.3040000@sbcglobal.net>
Date: Tue, 25 Feb 2014 08:36:08 -0800
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: David McGrew <mcgrew@cisco.com>, "Manger, James" <James.H.Manger@team.telstra.com>
References: <9A043F3CF02CD34C8E74AC1594475C7372375D64@uxcn10-tdc06.UoA.auckland.ac.nz> <53035EC7.8010607@cisco.com> <255B9BB34FB7D647A506DC292726F6E1153B6AA83D@WSMSG3153V.srv.dir.telstra.com> <530A0293.5060208@cisco.com> <530CBC32.1040107@cisco.com>
In-Reply-To: <530CBC32.1040107@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/h5UAjRCoexiq4pQELUQLSuOk5zI
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [Cfrg] Streaming AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2014 16:36:14 -0000
On 2/25/14 7:52 AM, David McGrew wrote:
> Hi James,
>
> On 02/23/2014 09:15 AM, David McGrew wrote:
>> Hi James,
>>
>> On 02/18/2014 10:59 PM, Manger, James wrote:
>>>>>> What is needed is a way to use an AEAD algorithm to secure a
>>>>>> message in
>>>>>> chunks. Streaming-AEAD would allow a recipient to know they have
>>>>>> received an
>>>>>> authentic prefix of a message. It would allow crypto APIs to support
>>>>>> streaming modes while never returning unauthentic plaintext.
>>>>> I think the means of doing this is going to be protocol-specific,
>>>>> since it
>>>>> depends on the PDU format being used.
>>> Not necessarily.
>>> I was thinking we could define a new alg identifier such as
>>> "AEAD_AES_128_OCB_TAGLEN96/10K", meaning OCB on 10 KB chunks.
>>> Once the 10228th byte (10KB - 96 bits) of plaintext is streamed
>>> to the encrypt function, it finishes the first AEAD operation and
>>> inserts a 96-bit tag into the ciphertext. A decryption function
>>> caches the ciphertext it is streamed until it reaches a 10KB
>>> boundary then it returns 10228 bytes of plaintext.
>>>
>>> An app sees a different alg id, but doesn't need to notice that
>>> the ciphertext PDU is actually ct tag ct tag ct tag...
>>> [It might need to know which nonces have been used internally though!]
>>
>
> A thought occurred to me. Currently, many systems use an
> init/update/final interface for AEAD decryption. The streaming AEAD
> algorithm that you propose would not enable them to continue using
> this interface as they currently are. The problem is that the
> decryptUpdate function is required to provide plaintext when it
> returns; at least this is the case in some libraries. If
> decryptUpdate is not required to provide plaintext when it returns,
> then the implementation could just buffer the (pre-auth-verification)
> plaintext until the auth verification is done.
>
> David
[snip]
It is simpler than that. The decryptUpdate just blocks until it has
gotten to a verification tag. If the length parameter to the
decryptUpdate is less than the plaintext up to the auth tag, it delivers
the requested amount of plaintext, and buffers the remainder, which can,
of course, be immediately returned on the next call.
Now like many protocols with chunking, there is the possibility of
deadlock if such protocols are used interactively. That is something to
think about.
--David Jacobson
- Re: [Cfrg] Streaming AEAD Peter Gutmann
- [Cfrg] Streaming AEAD Manger, James
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD Jean Paul Degabriele
- Re: [Cfrg] Streaming AEAD Manger, James
- Re: [Cfrg] Streaming AEAD Mridul Nandi
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD David Jacobson