[openpgp] AEAD mode unverified chunks

Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de> Sat, 30 June 2018 16:10 UTC

Return-Path: <marcus.brinkmann@ruhr-uni-bochum.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18865130E6E for <openpgp@ietfa.amsl.com>; Sat, 30 Jun 2018 09:10:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ruhr-uni-bochum.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65ikroWgsa9v for <openpgp@ietfa.amsl.com>; Sat, 30 Jun 2018 09:10:13 -0700 (PDT)
Received: from out2.mail.ruhr-uni-bochum.de (out2.mail.ruhr-uni-bochum.de [134.147.42.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFBCC127148 for <openpgp@ietf.org>; Sat, 30 Jun 2018 09:10:12 -0700 (PDT)
Received: from mx2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out2.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 41Hz4g423wz4yGK for <openpgp@ietf.org>; Sat, 30 Jun 2018 18:10:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ruhr-uni-bochum.de; s=mail-2017; t=1530375011; bh=RI8NM21dzdM/n916LKaiwWPUU/O35GcUIwuF1q8JIBc=; h=To:From:Subject:Date:From; b=Sd+5AtoYJ3bp9GNueilZbOIu7CbQZ8JjCTWV9l+WLoAlwi5KKZ2xc3HyqPLXwrqJz yeXfCgUP3aOyInfAamAGvVclhrW3HDTsPNnUO9Lvnn5w5m0MQLPY3g6iM8TCOAq1/h MzQoiCY3MXX/VbE1mDtIKzpuZSNInhk8fmvc7dtY=
Received: from out2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx2.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 41Hz4g3DH1z4yJP for <openpgp@ietf.org>; Sat, 30 Jun 2018 18:10:11 +0200 (CEST)
X-Envelope-Sender: <marcus.brinkmann@ruhr-uni-bochum.de>
X-RUB-Notes: Internal origin=134.147.42.227
Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [134.147.42.227]) by out2.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 41Hz4g2sMpz4yGK for <openpgp@ietf.org>; Sat, 30 Jun 2018 18:10:11 +0200 (CEST)
Received: from [192.168.142.139] (p4FE3FA2B.dip0.t-ipconnect.de [79.227.250.43]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 41Hz4g0JrDzyYl for <openpgp@ietf.org>; Sat, 30 Jun 2018 18:10:11 +0200 (CEST)
To: IETF OpenPGP <openpgp@ietf.org>
From: Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de>
Openpgp: preference=signencrypt
Message-ID: <df7db7b9-b661-7534-1c34-fd63ae2876d9@ruhr-uni-bochum.de>
Date: Sat, 30 Jun 2018 18:10:10 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/7qQhyemXNRAzbdfTePO5HlDXFww>
Subject: [openpgp] AEAD mode unverified chunks
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jun 2018 16:10:15 -0000

RFC4880bis should clarify that unverified plaintext must not be output
in AEAD mode.

I suggest adding this sentence:

5.16  AEAD Encrypted Data Packet (Tag 20)

[...]

If a chunk can not be authenticated, implementations MUST discard the
plaintext without further processing.  Unauthenticated plaintext MUST
not be output to other applications or the user.