Re: [Cfrg] streamable AEAD construct for stored data?
Alex Elsayed <eternaleye@gmail.com> Thu, 12 November 2015 06:32 UTC
Return-Path: <giic-cfrg@m.gmane.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A5861ACEDB for <cfrg@ietfa.amsl.com>; Wed, 11 Nov 2015 22:32:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.71
X-Spam-Level:
X-Spam-Status: No, score=-1.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VF4LM1hdcSUI for <cfrg@ietfa.amsl.com>; Wed, 11 Nov 2015 22:32:33 -0800 (PST)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 243511ACEF9 for <cfrg@irtf.org>; Wed, 11 Nov 2015 22:32:32 -0800 (PST)
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <giic-cfrg@m.gmane.org>) id 1ZwlQq-0008Ni-6t for cfrg@irtf.org; Thu, 12 Nov 2015 07:32:28 +0100
Received: from 66-87-138-238.pools.spcsdns.net ([66.87.138.238]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <cfrg@irtf.org>; Thu, 12 Nov 2015 07:32:28 +0100
Received: from eternaleye by 66-87-138-238.pools.spcsdns.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <cfrg@irtf.org>; Thu, 12 Nov 2015 07:32:28 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: cfrg@irtf.org
From: Alex Elsayed <eternaleye@gmail.com>
Date: Thu, 12 Nov 2015 06:32:16 +0000
Lines: 38
Message-ID: <n21bpg$a0$1@ger.gmane.org>
References: <87twp91d8r.fsf@alice.fifthhorseman.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: 66-87-138-238.pools.spcsdns.net
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/jpULizdIY8ExoqFikHinyHEmcRw>
Cc: openpgp@ietf.org
Subject: Re: [Cfrg] streamable AEAD construct for stored data?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 06:32:34 -0000
On Fri, 30 Oct 2015 08:11:48 +0900, Daniel Kahn Gillmor wrote: > Hi CFRG folks-- > > We're looking into fixing the OpenPGP symmetrically-encrypted data > formats for RFC4880bis. The structures are used for mail messages but > also for large file encryption. It's clear that the OpenPGP CFB mode > isn't designed to modern symmetric encryption standards, so we're hoping > to introduce a better approach. > > We need, among other things to address integrity protection in a more > meaningful way than the current OpenPGP MDC (modification detection > code), which is basically a SHA-1 hash of the cleartext. This was never > much better than a band-aid. And as discussed in the recent "OpenPGP > SEIP downgrade attack" thread, an "integrity-protected" packet with an > MDC can be stripped down to produce a syntactically-valid packet without > integrity protection. > > But one of our constraints is the OpenPGP use case that streams > decrypted data, like this: > > pgp --decrypt <backup.pgp | tar x > > It's unlikely that this use case will go away. <snip> > Thoughts, pointers, or suggestions would be much appreciated. Rogaway et. al. have a pair of constructions that come with very good security reductions, named CHAIN (requires strongly nonse-misuse- resistant underlying AEAD, which is hard to come by) and STREAM (only requires nonce-based AEAD). https://eprint.iacr.org/2015/189 If you want to forbid out-of-order decryption, you can also use each packet (or a hash thereof) as AD to the next.
- [Cfrg] streamable AEAD construct for stored data? Daniel Kahn Gillmor
- Re: [Cfrg] streamable AEAD construct for stored d… Natanael
- Re: [Cfrg] streamable AEAD construct for stored d… Watson Ladd
- Re: [Cfrg] streamable AEAD construct for stored d… Natanael
- Re: [Cfrg] streamable AEAD construct for stored d… Daniel Kahn Gillmor
- Re: [Cfrg] streamable AEAD construct for stored d… Hanno Böck
- Re: [Cfrg] streamable AEAD construct for stored d… Watson Ladd
- Re: [Cfrg] streamable AEAD construct for stored d… Taylor R Campbell
- Re: [Cfrg] streamable AEAD construct for stored d… Andy Lutomirski
- Re: [Cfrg] streamable AEAD construct for stored d… Adam Langley
- Re: [Cfrg] streamable AEAD construct for stored d… Andy Lutomirski
- Re: [Cfrg] streamable AEAD construct for stored d… Björn Edström
- [Cfrg] Merkle trees [was Re: streamable AEAD cons… Taylor R Campbell
- Re: [Cfrg] streamable AEAD construct for stored d… Zooko Wilcox-OHearn
- Re: [Cfrg] [openpgp] streamable AEAD construct fo… Andrey Jivsov
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Ben Laurie
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Watson Ladd
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Paul Lambert
- Re: [Cfrg] [openpgp] streamable AEAD construct fo… Andy Lutomirski
- Re: [Cfrg] [openpgp] streamable AEAD construct fo… Andy Lutomirski
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Gilles Van Assche
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Ben Laurie
- Re: [Cfrg] Merkle trees Taylor R Campbell
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Zooko Wilcox-OHearn
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Tony Arcieri
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Ben Laurie
- Re: [Cfrg] streamable AEAD construct for stored d… Bryan Ford
- Re: [Cfrg] streamable AEAD construct for stored d… Andy Lutomirski
- Re: [Cfrg] streamable AEAD construct for stored d… Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bill Cox
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] streamable AEAD construct for stored d… Alex Elsayed
- Re: [Cfrg] Merkle trees Gilles Van Assche