[openpgp] [PATCH 1/3] Add AEAD Encrypted Data Packet with EAX
"brian m. carlson" <sandals@crustytoothpaste.net> Fri, 21 July 2017 22:27 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B5A512F3D0 for <openpgp@ietfa.amsl.com>; Fri, 21 Jul 2017 15:27:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aa2No8Qso4NQ for <openpgp@ietfa.amsl.com>; Fri, 21 Jul 2017 15:27:33 -0700 (PDT)
Received: from castro.crustytoothpaste.net (sandals-1-pt.tunnel.tserv8.dal1.ipv6.he.net [IPv6:2001:470:1f0e:3f1::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91034126DC2 for <openpgp@ietf.org>; Fri, 21 Jul 2017 15:27:33 -0700 (PDT)
Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id 9B985280AD for <openpgp@ietf.org>; Fri, 21 Jul 2017 22:27:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1500676052; bh=lkAO6yKNTqq1zXiGkSCyTRlexTsARVVieiV8hac2REU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=qgZxdfL939KRBv24L+CTZU6UCDefsPZVGDeZb5gd6x1CIxnc6y59IK6WLcefi2lCf LSOq8K8ovQ/uvenC3MhGOdRbkv1pZlQ9sikFgKJ1lp316HqIk566SG4l0IPJFLUIf8 f+aR9As3YGfAHnbFYWizgFTUdU962isjaKkCfYpmnuYir/H5NVi3EVKQGXK9UzVGm5 pQ+KHTdjUAMK8cad2QFBBDavSzghVuwg3AyeDn8oTurZw55rDGWgVuEyhCeLBShiNm eGk63h/lWH5QkbDfsO2mONRyDlioJshA/pXGdnuVlKaj1JNdGv58YosZk934Af6LPh j9v+t+342LBIMgSvoAOUd1Gyt9Ym+xqpbjR9xawmupEymxhAz3wjKCza+Igu3yZwWV Ad87HzUGk6UpncN8rGeO/aevKBQPEsvwF/nvArLuSnJWqHjCczlItQrdf5KnHkleln 5xdlkD189XVVw/b5reDJzlIsZalMeSNkgQghr/cpc0sHpyfKmRJ
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Date: Fri, 21 Jul 2017 22:27:16 +0000
Message-Id: <20170721222718.382455-1-sandals@crustytoothpaste.net>
X-Mailer: git-send-email 2.14.0.rc0.284.gd933b75aa4
In-Reply-To: <20170721222149.po4xohnzzdhlegcb@genre.crustytoothpaste.net>
References: <20170721222149.po4xohnzzdhlegcb@genre.crustytoothpaste.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/93rhjbKj0BpCkCwESvjJJNn4YkU>
Subject: [openpgp] [PATCH 1/3] Add AEAD Encrypted Data Packet with EAX
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 22:27:35 -0000
---
middle.mkd | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
template.xml | 11 ++++++++
2 files changed, 96 insertions(+)
diff --git a/middle.mkd b/middle.mkd
index c2447d5..166b575 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -2550,6 +2550,81 @@ packet length. The reason for this is that the hashing rules for
modification detection include a one-octet tag and one-octet length in
the data hash. While this is a bit restrictive, it reduces complexity.
+## {5.14} AEAD Encrypted Data Packet (Tag 18)
+
+This packet contains data encrypted with an authenticated encryption and
+additional data (AEAD) construction. When it has been decrypted, it
+will typically contain other packets (often a Literal Data packet or
+Compressed Data packet).
+
+The body of this packet consists of:
+
+ * A one-octet version number. The only currently defined value
+ is 1.
+
+ * A one-octet cipher algorithm.
+
+ * A one-octet AEAD algorithm.
+
+ * A one-octet chunk size.
+
+ * A starting initialization vector of size specified by the AEAD
+ algorithm.
+
+ * Encrypted data, the output of the selected symmetric-key cipher
+ operating in the given AEAD mode.
+
+ * A final, summary authentication tag for the AEAD mode.
+
+An AEAD encrypted data packet consists of one or more chunks of data.
+The plaintext of each chunk is of a size specified using the chunk size
+octet using the method specified below.
+
+The encrypted data consists of the encryption of each chunk of
+plaintext, followed immediately by the relevant authentication tag. If
+the last chunk of plaintext is smaller than the chunk size, the
+ciphertext for that data may be shorter; it is nevertheless followed by
+a full authentication tag.
+
+For each chunk, the AEAD construction is given the packet header,
+version number, cipher algorithm octet, AEAD algorithm octet, chunk size
+octet, and an eight-octet, big-endian chunk index as additional
+data. The index of the first chunk is zero.
+
+After the final chunk, the AEAD algorithm is used to produce a final
+authentication tag encrypting the empty string. This AEAD instance is
+given the additional data specified above, plus an eight-octet,
+big-endian values specifying the total number of plaintext octets
+encrypted. This allows detection of a truncated ciphertext.
+
+The chunk size octet specifies the size of chunks using the following
+formula (in C), where c is the chunk size octet:
+
+ chunk_size = ((uint64_t)1 << (c + 6))
+
+An implementation MUST support chunk size octets with values from 0
+to 56. An implementation MAY support other chunk sizes. Chunk size
+octets with other values are reserved for future extensions.
+
+A new random initialization vector MUST be used for each message.
+
+### {5.14.1} EAX Mode
+
+The only currently defined AEAD algorithm is EAX Mode
+[](#EAX). This algorithm can only use block ciphers with 16-octet
+blocks. The starting initialization vector and authentication tag are
+both 16 octets long.
+
+The starting initialization vector for this mode MUST be unique and
+unpredictable.
+
+The nonce for EAX mode is computed by treating the starting
+initialization vector as a 16-octet, big-endian value and
+exclusive-oring the low eight octets of it with the chunk index.
+
+The security of EAX requires that the nonce is never reused, hence the
+requirement that the starting initialization vector be unique.
+
# {6} Radix-64 Conversions
As stated in the introduction, OpenPGP's underlying native
@@ -3087,6 +3162,16 @@ require the use of SHA-1 with the exception of computing version 4 key
fingerprints and for purposes of the MDC packet. Implementations
SHOULD NOT use MD5 or RIPE-MD/160.
+## {9.5} AEAD Algorithms
+
+ ID Algorithm
+ -------- ---------
+ 1 EAX [](#EAX)
+ 100--110 Private/Experimental algorithm
+
+Implementations MUST implement EAX. Implementations MAY implement
+other algorithms.
+
# {10} IANA Considerations
OpenPGP is highly parameterized, and consequently there are a number
diff --git a/template.xml b/template.xml
index 68651ba..85782ce 100644
--- a/template.xml
+++ b/template.xml
@@ -91,6 +91,17 @@
<date></date>
</front>
</reference>
+
+ <reference anchor='EAX'>
+ <front>
+ <title>A Conventional Authenticated-Encryption Mode</title>
+ <author surname="Bellare" initials="M." />
+ <author surname="Rogaway" initials="P." />
+ <author surname="Wagner" initials="D." />
+ <date year="2003" month="April" />
+ </front>
+ </reference>
+
<reference anchor='ELGAMAL'>
<front>
<title>A Public-Key Cryptosystem and a
--
2.14.0.rc0.284.gd933b75aa4
- [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH] Add AEAD Encrypted Data Packet … brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- [openpgp] [PATCH 1/3] Add AEAD Encrypted Data Pac… brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH 3/3] Add AEAD mode for Secret Ke… brian m. carlson
- [openpgp] [PATCH 2/3] Define AEAD mode for SKESK … brian m. carlson
- Re: [openpgp] [PATCH 1/3] Add AEAD Encrypted Data… brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch