Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?

Bryan Ford <brynosaurus@gmail.com> Tue, 23 February 2016 17:36 UTC

Return-Path: <brynosaurus@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E73D1ACE22 for <openpgp@ietfa.amsl.com>; Tue, 23 Feb 2016 09:36:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcUWFTgooFQ6 for <openpgp@ietfa.amsl.com>; Tue, 23 Feb 2016 09:36:47 -0800 (PST)
Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 927F81AC439 for <openpgp@ietf.org>; Tue, 23 Feb 2016 09:36:47 -0800 (PST)
Received: by mail-pa0-x22b.google.com with SMTP id fl4so113781017pad.0 for <openpgp@ietf.org>; Tue, 23 Feb 2016 09:36:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=h6AHTkHXoSiHfqwxpE+a8ZBhy4kgJPUECDcEA0L3tmg=; b=0MUwdf01Oi2STDsrRvPlirkYC4ZlETtO1qbfox8Mj6ptlfMKW5XLvdejs8bgF6qbxi K3wW1oMF4I5t6sIkJAZjlSBdQSbyXTVDZYw+0SVHC57dD0HvgCtkxVDbz/542fKt8iv8 4Tkz6CXggavExvQjmkfRtvwGcD9XpeJnb9iUXZFcm2uYSZLTrKbxZu9v7m9CmsWLCLub EkCObvfrnqgv94EVPpvbXbG74f/XBW/LIuFvh77MvrlZhV/os4OGUgNJAOD0DoHsB8yr U7mkE8Yi/KuNhAMIy1+ZUa3tQsoWI3NajZdPnxUA+TEAHTpRtIJRHGLKJO8aVnlFKJMB +iYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=h6AHTkHXoSiHfqwxpE+a8ZBhy4kgJPUECDcEA0L3tmg=; b=UWRB/w6wdMwzNDDlnZYhlSRVwV+K9Ys6vx+gw7+/ITvL+aSB1vkBLVprjQvT+b7KHy OTwh52ZGbBtFBxh8CH9N7EzV7On5s2UzbJngUwYkoOVlXeHJThZCssdU9gRkXrSb13W6 fIQuBgxuqe0jKBAafH5aKV2n6kezo3Wvwl/uiGfOS6g3bshPHbdrjPA0D22keNfNpdlV RGAe8Uss7bWbHSZznCfaRbOjy8Bq/jD9xTRkb7009YwRG0OSbpL9FXuv7anYjl0ZBEiD i7Mzi9CGWLc6vFpxuKG3Isuy+YflBLqg4qZwxJldU0HmvIQIh6W6F+OzSf/iVRivMrzU sL5w==
X-Gm-Message-State: AG10YOT+Kn9EMg3lOXcnVU5OY6RcNzfD+iruehVjGZrMq0jrn+ND/U5Q60m8ePGmxTOgWA==
X-Received: by 10.66.226.238 with SMTP id rv14mr48012920pac.41.1456249007169; Tue, 23 Feb 2016 09:36:47 -0800 (PST)
Received: from [172.25.0.204] (rrcs-67-52-140-5.west.biz.rr.com. [67.52.140.5]) by smtp.gmail.com with ESMTPSA id 144sm45523366pfa.83.2016.02.23.09.36.45 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 Feb 2016 09:36:45 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_A0F2AEC1-F6F9-45DB-B784-00470668A61F"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <56BBB13B.3000507@googlemail.com>
Date: Tue, 23 Feb 2016 09:36:44 -0800
Message-Id: <6CC794D8-3BE2-454C-A53B-AAA67E2DE84D@gmail.com>
References: <87twp91d8r.fsf@alice.fifthhorseman.net> <CAM_a8Jy-ZoGJ3qTgN5PFA2ZKnbtSy5GWhWhUeF2NHYgWUQ0zYA@mail.gmail.com> <3A98EA92-0C2F-46A7-8D06-880FC83CB110@gmail.com> <56BBB13B.3000507@googlemail.com>
To: Nils Durner <ndurner@googlemail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/G1qwsSPkDTgFSOtTWXVFOF7Twio>
Cc: openpgp@ietf.org
Subject: Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 17:36:49 -0000

On Feb 10, 2016, at 1:52 PM, Nils Durner <ndurner@googlemail.com>; wrote:
> Hi,
> 
>> To be clear, there are two separate use-cases, each of which make
>> sense without the other and require different technical solutions (but
>> could also make sense together):
>> 
>> 1. Streaming-mode integrity protection:
>> 
>> [...]
>> 
>> To achieve goal #1 properly, it appears that what we need is not only
>> a MAC per chunk but a signature per chunk.
> 
> Different ideas:
> 
> 1. asymmetrically encrypt and sign the MAC key, make this a new packet
>    type to be prepended to the symmetrically encrypted data

By this, do you mean just write one asymmetrically encrypted-and-signed MAC key at the beginning of the stream, followed by a bunch of records that are only MAC-authenticated with that symmetric key?  

This would appear insecure to me, at least in the case the stream is encrypted to two or more recipients.  Say Alice signs-and-encrypts a stream to Bob and Charlie.  Bob takes Alice’s encrypted-and-signed MAC key record, then uses the same MAC key to construct a completely different stream of actual content (all of whose MAC records verify just fine) and sends it to Charlie, claiming that it’s from Alice.

Maybe this is only a problem in the two-or-more-receivers case, but even if so it makes me nervous.  If PGP had a reputable, non-signing sender-authentication mode for 2-party communication only, then it might make sense for an asymmetric “repudiable authentication record” to be followed by a stream of MAC-authenticated records.  But that seems like a fairly different protocol (or at least a fairly different mode).

> 2. derive the MAC key from the symmetric encryption key, sign it (but
>    do not store it) and make this a new packet type to be prepended
>    (thus saving the asymmetric encryption from #1)
> 3. use an authenticating sym cipher mode with intermediate
>    authentication tags, with the symmetric key asymmetrically signed
>    (like #2)

Assuming I’m correctly understanding that in cases #2 and #3 also just have one asymmetric record at the beginning of the stream, it seems like the same considerations apply as with #1.  Perhaps OK for 2-party repudiable authentication, but not if we need to retain the signed-message semantics that PGP currently provides especially in the multiple-receiver case.

Cheers
Bryan