[openpgp] [PATCH 1/3] Add AEAD Encrypted Data Packet with EAX
"brian m. carlson" <sandals@crustytoothpaste.net> Fri, 21 July 2017 22:27 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B5A512F3D0 for <openpgp@ietfa.amsl.com>; Fri, 21 Jul 2017 15:27:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aa2No8Qso4NQ for <openpgp@ietfa.amsl.com>; Fri, 21 Jul 2017 15:27:33 -0700 (PDT)
Received: from castro.crustytoothpaste.net (sandals-1-pt.tunnel.tserv8.dal1.ipv6.he.net [IPv6:2001:470:1f0e:3f1::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91034126DC2 for <openpgp@ietf.org>; Fri, 21 Jul 2017 15:27:33 -0700 (PDT)
Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id 9B985280AD for <openpgp@ietf.org>; Fri, 21 Jul 2017 22:27:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1500676052; bh=lkAO6yKNTqq1zXiGkSCyTRlexTsARVVieiV8hac2REU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=qgZxdfL939KRBv24L+CTZU6UCDefsPZVGDeZb5gd6x1CIxnc6y59IK6WLcefi2lCf LSOq8K8ovQ/uvenC3MhGOdRbkv1pZlQ9sikFgKJ1lp316HqIk566SG4l0IPJFLUIf8 f+aR9As3YGfAHnbFYWizgFTUdU962isjaKkCfYpmnuYir/H5NVi3EVKQGXK9UzVGm5 pQ+KHTdjUAMK8cad2QFBBDavSzghVuwg3AyeDn8oTurZw55rDGWgVuEyhCeLBShiNm eGk63h/lWH5QkbDfsO2mONRyDlioJshA/pXGdnuVlKaj1JNdGv58YosZk934Af6LPh j9v+t+342LBIMgSvoAOUd1Gyt9Ym+xqpbjR9xawmupEymxhAz3wjKCza+Igu3yZwWV Ad87HzUGk6UpncN8rGeO/aevKBQPEsvwF/nvArLuSnJWqHjCczlItQrdf5KnHkleln 5xdlkD189XVVw/b5reDJzlIsZalMeSNkgQghr/cpc0sHpyfKmRJ
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Date: Fri, 21 Jul 2017 22:27:16 +0000
Message-Id: <20170721222718.382455-1-sandals@crustytoothpaste.net>
X-Mailer: git-send-email 2.14.0.rc0.284.gd933b75aa4
In-Reply-To: <20170721222149.po4xohnzzdhlegcb@genre.crustytoothpaste.net>
References: <20170721222149.po4xohnzzdhlegcb@genre.crustytoothpaste.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/93rhjbKj0BpCkCwESvjJJNn4YkU>
Subject: [openpgp] [PATCH 1/3] Add AEAD Encrypted Data Packet with EAX
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 22:27:35 -0000
--- middle.mkd | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ template.xml | 11 ++++++++ 2 files changed, 96 insertions(+) diff --git a/middle.mkd b/middle.mkd index c2447d5..166b575 100644 --- a/middle.mkd +++ b/middle.mkd @@ -2550,6 +2550,81 @@ packet length. The reason for this is that the hashing rules for modification detection include a one-octet tag and one-octet length in the data hash. While this is a bit restrictive, it reduces complexity. +## {5.14} AEAD Encrypted Data Packet (Tag 18) + +This packet contains data encrypted with an authenticated encryption and +additional data (AEAD) construction. When it has been decrypted, it +will typically contain other packets (often a Literal Data packet or +Compressed Data packet). + +The body of this packet consists of: + + * A one-octet version number. The only currently defined value + is 1. + + * A one-octet cipher algorithm. + + * A one-octet AEAD algorithm. + + * A one-octet chunk size. + + * A starting initialization vector of size specified by the AEAD + algorithm. + + * Encrypted data, the output of the selected symmetric-key cipher + operating in the given AEAD mode. + + * A final, summary authentication tag for the AEAD mode. + +An AEAD encrypted data packet consists of one or more chunks of data. +The plaintext of each chunk is of a size specified using the chunk size +octet using the method specified below. + +The encrypted data consists of the encryption of each chunk of +plaintext, followed immediately by the relevant authentication tag. If +the last chunk of plaintext is smaller than the chunk size, the +ciphertext for that data may be shorter; it is nevertheless followed by +a full authentication tag. + +For each chunk, the AEAD construction is given the packet header, +version number, cipher algorithm octet, AEAD algorithm octet, chunk size +octet, and an eight-octet, big-endian chunk index as additional +data. The index of the first chunk is zero. + +After the final chunk, the AEAD algorithm is used to produce a final +authentication tag encrypting the empty string. This AEAD instance is +given the additional data specified above, plus an eight-octet, +big-endian values specifying the total number of plaintext octets +encrypted. This allows detection of a truncated ciphertext. + +The chunk size octet specifies the size of chunks using the following +formula (in C), where c is the chunk size octet: + + chunk_size = ((uint64_t)1 << (c + 6)) + +An implementation MUST support chunk size octets with values from 0 +to 56. An implementation MAY support other chunk sizes. Chunk size +octets with other values are reserved for future extensions. + +A new random initialization vector MUST be used for each message. + +### {5.14.1} EAX Mode + +The only currently defined AEAD algorithm is EAX Mode +[](#EAX). This algorithm can only use block ciphers with 16-octet +blocks. The starting initialization vector and authentication tag are +both 16 octets long. + +The starting initialization vector for this mode MUST be unique and +unpredictable. + +The nonce for EAX mode is computed by treating the starting +initialization vector as a 16-octet, big-endian value and +exclusive-oring the low eight octets of it with the chunk index. + +The security of EAX requires that the nonce is never reused, hence the +requirement that the starting initialization vector be unique. + # {6} Radix-64 Conversions As stated in the introduction, OpenPGP's underlying native @@ -3087,6 +3162,16 @@ require the use of SHA-1 with the exception of computing version 4 key fingerprints and for purposes of the MDC packet. Implementations SHOULD NOT use MD5 or RIPE-MD/160. +## {9.5} AEAD Algorithms + + ID Algorithm + -------- --------- + 1 EAX [](#EAX) + 100--110 Private/Experimental algorithm + +Implementations MUST implement EAX. Implementations MAY implement +other algorithms. + # {10} IANA Considerations OpenPGP is highly parameterized, and consequently there are a number diff --git a/template.xml b/template.xml index 68651ba..85782ce 100644 --- a/template.xml +++ b/template.xml @@ -91,6 +91,17 @@ <date></date> </front> </reference> + + <reference anchor='EAX'> + <front> + <title>A Conventional Authenticated-Encryption Mode</title> + <author surname="Bellare" initials="M." /> + <author surname="Rogaway" initials="P." /> + <author surname="Wagner" initials="D." /> + <date year="2003" month="April" /> + </front> + </reference> + <reference anchor='ELGAMAL'> <front> <title>A Public-Key Cryptosystem and a -- 2.14.0.rc0.284.gd933b75aa4
- [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH] Add AEAD Encrypted Data Packet … brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- [openpgp] [PATCH 1/3] Add AEAD Encrypted Data Pac… brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH 3/3] Add AEAD mode for Secret Ke… brian m. carlson
- [openpgp] [PATCH 2/3] Define AEAD mode for SKESK … brian m. carlson
- Re: [openpgp] [PATCH 1/3] Add AEAD Encrypted Data… brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch