Re: [openpgp] AEAD Chunk Size

Jon Callas <joncallas@icloud.com> Fri, 29 March 2019 20:49 UTC

Return-Path: <joncallas@icloud.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8FD3120356 for <openpgp@ietfa.amsl.com>; Fri, 29 Mar 2019 13:49:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.849
X-Spam-Level:
X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, KHOP_DYNAMIC=0.85, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id we7gO5ZmaBB5 for <openpgp@ietfa.amsl.com>; Fri, 29 Mar 2019 13:49:01 -0700 (PDT)
Received: from mr85p00im-zteg06022001.me.com (mr85p00im-zteg06022001.me.com [17.58.23.193]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5052120366 for <openpgp@ietf.org>; Fri, 29 Mar 2019 13:49:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=04042017; t=1553892541; bh=fs6gred3Je7rUtRv8bGcTj+JBbMwY0m+gjIcQPczZFQ=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=vjzmRVJzNmPSNbb/Bh7TZnVPH6rCiZAJ9t7lNzzrId8MLF1mi0+ZOx8vXZ/FMYnNC WgKYNjtMFyqz6ViraMIn5rOEKXxuC6O3HaqmKHhUjdcEuIHoCYYcO1+8Fi9grh+ucQ I0A9Inm+FcqfrpkDf8rRLRepX6BNaHrLc5Z6Fom+Ck8WT4tjXge/j+VqLWwW4kLWKE uuGYU1hoffbDav88VZN2PuNz9X6FrzhyUXY7gYWwrmKxtLhVwzEiXbQIEMMEhTyPPd wdlt2LNYXuoH+KqRvW7v+aqWZOJwJ2wJBTOKhM//s9I1LbIdi6kNFrwcV9BHIieZ/w Qu1y4DtoPRMzg==
Received: from [192.168.7.69] (thing1.merrymeet.com [173.164.244.99]) by mr85p00im-zteg06022001.me.com (Postfix) with ESMTPSA id BF5809000DE; Fri, 29 Mar 2019 20:49:00 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Jon Callas <joncallas@icloud.com>
In-Reply-To: <87zhpd21d3.wl-neal@walfield.org>
Date: Fri, 29 Mar 2019 13:48:59 -0700
Cc: Jon Callas <joncallas@icloud.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, "openpgp@ietf.org" <openpgp@ietf.org>, Justus Winter <justuswinter@gmail.com>, Jon Callas <joncallas=40icloud.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D9D1ACD4-4944-495C-A058-1AA5D25FF8CF@icloud.com>
References: <87mumh33nc.wl-neal@walfield.org> <878swzp4fb.fsf@europa.jade-hamburg.de> <E65F6E9D-8B0B-466D-936B-E8852F26E1FF@icloud.com> <87zhpd21d3.wl-neal@walfield.org>
To: "Neal H. Walfield" <neal@walfield.org>
X-Mailer: Apple Mail (2.3445.102.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-29_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 mlxscore=0 mlxlogscore=800 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1812120000 definitions=main-1903290143
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/FUQhx7_Wq3RIg-qO5ApTqOc4z3Q>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 20:49:04 -0000


> On Mar 29, 2019, at 7:37 AM, Neal H. Walfield <neal@walfield.org> wrote:
> 
> 
> Ok.  Is your position that the working group should remove AEAD from
> 4880bis until there is an academic study proving people need it?

I think that if Peter wanted to remove AEAD, he’d just say that.

But no, the whole reason he and I and others are debating is that we think that AEAD in OpenPGP is a Good Idea.

> 
>>> Efail occured.  Why is that not enough?
>> 
>> That was due to broken email apps.  If I can convince your email app to
>> forward the plaintext of a decrypted message to me, you lose no matter what
>> encryption mechanism you use.
>> 
>> Admittedly CBC/CFB made this easier, but it was the email apps that needed
>> fixing, not PGP.
> 
> I see it differently.  I would say it was a combination of the email
> applications needing fixing and PGP needing fixing.

Before I go further, it’s OpenPGP. This working group is OpenPGP.

PGP is a software product owned by Symantec. It implements OpenPGP, as well as S/MIME, X.509, and a whole lot of other things.

> 
> PGP encourages implementations to support streaming, and most do.
> But, using 4880, this means that an application may see plaintext from
> unauthenticated ciphertext.  Efail shows how that can be exploited by
> ***modifying the ciphertext*** (a PGP problem) to create a potential
> exfiltration channel.  Using chunked AEAD correctly, this type of
> attack is not possible: it is possible to stream, and only release
> plaintext from authenticated ciphertext.
> 
> Now, applications could have protected themselves from this attack if
> they had backed out the message on MDC failure.  But, they didn't.
> And, I'd argue that a major reason that they didn't was because this
> type of attack is not well understood by application developers.
> Application developers understand truncation.  But, ciphertext
> modification is something that most have probably never heard of.
> Since we can protect application developers from ciphertext
> modification, I would argue that not doing so is negligent.
> 
> So, if we are distributing blame, and I'd rather not play that game,
> then I'd place 90% of the blame on the WG and the PGP implementations,
> and only 10% on the mail application developers.

Then why does it work with S/MIME? Do they get 90% too?

That brings us up to 190% of the blame, which might be called for, given that it is a major cluster, but I think it’s orthogonal to what we’re talking about here.

How about if we just work on AEAD instead of debating Efail? Especially since we agree on AEAD being needed.

	Jon