Re: [openpgp] AEAD Chunk Size

Bart Butler <bartbutler@protonmail.com> Thu, 28 February 2019 00:46 UTC

Return-Path: <bartbutler@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F51131238 for <openpgp@ietfa.amsl.com>; Wed, 27 Feb 2019 16:46:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v59XJuV1dFZH for <openpgp@ietfa.amsl.com>; Wed, 27 Feb 2019 16:45:59 -0800 (PST)
Received: from mail-40132.protonmail.ch (mail-40132.protonmail.ch [185.70.40.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06CD4131230 for <openpgp@ietf.org>; Wed, 27 Feb 2019 16:45:56 -0800 (PST)
Date: Thu, 28 Feb 2019 00:45:52 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1551314753; bh=Q6CcqgZQN8CHP0ThUfPzkSGkbrWsaHrNHoJsoOoK8gI=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=G3xCZOokuLtJuHyQ+p/lWjblQy8pCNIxtoNhe3Xd2Ptx+GqVFKOXWmxM4OAWNRNYo ZXveO+YfEJdR0XDme9x3B/B7ZKuF9tn98PkIRMqUmBPpZizGfM89sPswHlxmcXKJeo 2lDTiVsf1BEFqgop5eRLGudvkeos2EtWfjT9vGrM=
To: Jon Callas <joncallas@icloud.com>
From: Bart Butler <bartbutler@protonmail.com>
Cc: Vincent Breitmoser <look@my.amazin.horse>, "openpgp@ietf.org" <openpgp@ietf.org>, "Neal H. Walfield" <neal@walfield.org>
Reply-To: Bart Butler <bartbutler@protonmail.com>
Message-ID: <gqB_oCEBF2U1CDCY7IaW8pLh0SMtaVydDa5b8CD5Q-tE_4mbQgwlUVSgtWGHptl9flfb8N2L3tcdU5yY9O-TOkvFbjzf_hk3E4Hp1AMBVrk=@protonmail.com>
In-Reply-To: <431339C1-8DDA-47D0-B233-9B7F49F0692A@icloud.com>
References: <87mumh33nc.wl-neal@walfield.org> <F9VLV9HZWH.3RYL3UM3BN873@my.amazin.horse> <3WZ7-hy9V7TOy53p1gP5EXELzHJIqjouV9x0YTN3PWsBZedKkqvVCRm-2XzGZy-FYAYdTqP1-7YV4wbTWMWAYhSujQA6NmrnIuXfZLRHkdQ=@protonmail.com> <CAB941EE-6961-4CAB-9632-DFF738980467@icloud.com> <HBifY5kv2OqoajWurbHh_-NyZaBUZGabUpbxfhLlw8lTEuJVAiaHr-hhL_v5jKI-uqfeTIKD2S8VbEKvImC2sxhSlxD3GsT8LBzXKaOeHLI=@protonmail.com> <431339C1-8DDA-47D0-B233-9B7F49F0692A@icloud.com>
Feedback-ID: XShtE-_o2KLy9dSshc6ANALRnvTQ9U24aqXW2ympbGschdpHbU6GYCTUCtfmGhY9HmOyP1Uweyandwh1AVDFrQ==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="---------------------1886749762836d19a5057839f60c6503"; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/AUOvnNtwf1GicirrVucQGKsTz3E>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 00:46:05 -0000

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, February 27, 2019 4:03 PM, Jon Callas <joncallas@icloud.com> wrote:

> 

> 

> > On Feb 27, 2019, at 3:00 PM, Bart Butler bartbutler@protonmail.com wrote:
> > Hi Jon,
> > Do I understand correctly that you oppose shrinking the allowable range with MUST at all too? I think the argument for this is fairly convincing from a usage perspective to ensure that someone decrypting a large message is not obligated to download a huge amount of data before finding out that it is corrupted or otherwise has been tampered with. Likewise, we had to address unanticipated performance issues in OpenPGP.js with very small chunks which could have allowed a bad actor to essentially DoS the library with a strangely-constructed message.
> > In other words, I'm not really swayed by the implementation simplification argument but I do think that very small or very large chunk size, in addition to probably being useless, pose a real threat in terms of abuse.
> > So I think having a MUST for the range, maybe 16kiB to 256 kiB, or 16 kiB to 1024 kiB is a reasonable thing to do. And as long as we keep the size byte, we can always increase the upper limit of the range in the future if needed.
> 

> My warning is against shooting someone else in the foot, or forcing them to use some other protocol.
> 

> Thus, saying (e.g.) that the range MUST be between 1K and 16K is a bad idea; we even know now that 256K has in some cases an efficiency advantage. You can say, MUST support 1K to 16K, SHOULD support up to 256K and MAY support larger sizes. There can also be a couple of paragraphs to explain that there are good reasons neither to be very small nor very large.

The problem is that MAY for either very small or very large chunks sizes in some ways forces library maintainers to have support for these chunk sizes because they WILL appear in the wild, and then there will be complaints if they do not decrypt. If they are technically legal then everyone has to account for these edge cases in their apps--i.e., a 1-chunk AEAD multi-gigabyte movie which you technically can't start playback until the whole thing has been downloaded and buffered because the authentication is only at the end.

> 

> My concern is someone saying something like, “Gosh, I’d like to have OpenPGP AEAD encryption for S3 Objects, but I can’t ‘cause those go up to 5TB.” Anyone who’s going to use 5TB objects probably knows the headaches they inherit and yeah, you aren’t going to do that on a Cortex M0.
> 

> Does this make sense?
> 

> Jon

It does, and normally on this kind of thing I would completely agree with you, but in this case I think there are two mitigating factors:

1. AEAD chunk size does not limit message/file size in any meaningful way assuming we set the upper limit chunk size to something reasonable like 1024 kiB, you just use multiple chunks, which is the idea anyway.
2. Abuse potential in an open standard

It's #2 which is really compelling for me for exactly the reason that we DO want this to be usable for arbitrary uses and message sizes in federated contexts, and for that to be possible we need to try to set reasonable limits to prevent malicious or careless users from creating bad-but-legal payloads.