Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?

Bryan Ford <> Tue, 23 February 2016 17:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4E73D1ACE22 for <>; Tue, 23 Feb 2016 09:36:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XcUWFTgooFQ6 for <>; Tue, 23 Feb 2016 09:36:47 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 927F81AC439 for <>; Tue, 23 Feb 2016 09:36:47 -0800 (PST)
Received: by with SMTP id fl4so113781017pad.0 for <>; Tue, 23 Feb 2016 09:36:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=h6AHTkHXoSiHfqwxpE+a8ZBhy4kgJPUECDcEA0L3tmg=; b=0MUwdf01Oi2STDsrRvPlirkYC4ZlETtO1qbfox8Mj6ptlfMKW5XLvdejs8bgF6qbxi K3wW1oMF4I5t6sIkJAZjlSBdQSbyXTVDZYw+0SVHC57dD0HvgCtkxVDbz/542fKt8iv8 4Tkz6CXggavExvQjmkfRtvwGcD9XpeJnb9iUXZFcm2uYSZLTrKbxZu9v7m9CmsWLCLub EkCObvfrnqgv94EVPpvbXbG74f/XBW/LIuFvh77MvrlZhV/os4OGUgNJAOD0DoHsB8yr U7mkE8Yi/KuNhAMIy1+ZUa3tQsoWI3NajZdPnxUA+TEAHTpRtIJRHGLKJO8aVnlFKJMB +iYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=h6AHTkHXoSiHfqwxpE+a8ZBhy4kgJPUECDcEA0L3tmg=; b=UWRB/w6wdMwzNDDlnZYhlSRVwV+K9Ys6vx+gw7+/ITvL+aSB1vkBLVprjQvT+b7KHy OTwh52ZGbBtFBxh8CH9N7EzV7On5s2UzbJngUwYkoOVlXeHJThZCssdU9gRkXrSb13W6 fIQuBgxuqe0jKBAafH5aKV2n6kezo3Wvwl/uiGfOS6g3bshPHbdrjPA0D22keNfNpdlV RGAe8Uss7bWbHSZznCfaRbOjy8Bq/jD9xTRkb7009YwRG0OSbpL9FXuv7anYjl0ZBEiD i7Mzi9CGWLc6vFpxuKG3Isuy+YflBLqg4qZwxJldU0HmvIQIh6W6F+OzSf/iVRivMrzU sL5w==
X-Gm-Message-State: AG10YOT+Kn9EMg3lOXcnVU5OY6RcNzfD+iruehVjGZrMq0jrn+ND/U5Q60m8ePGmxTOgWA==
X-Received: by with SMTP id rv14mr48012920pac.41.1456249007169; Tue, 23 Feb 2016 09:36:47 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id 144sm45523366pfa.83.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 Feb 2016 09:36:45 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_A0F2AEC1-F6F9-45DB-B784-00470668A61F"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Bryan Ford <>
In-Reply-To: <>
Date: Tue, 23 Feb 2016 09:36:44 -0800
Message-Id: <>
References: <> <> <> <>
To: Nils Durner <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Subject: Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Feb 2016 17:36:49 -0000

On Feb 10, 2016, at 1:52 PM, Nils Durner <> wrote:
> Hi,
>> To be clear, there are two separate use-cases, each of which make
>> sense without the other and require different technical solutions (but
>> could also make sense together):
>> 1. Streaming-mode integrity protection:
>> [...]
>> To achieve goal #1 properly, it appears that what we need is not only
>> a MAC per chunk but a signature per chunk.
> Different ideas:
> 1. asymmetrically encrypt and sign the MAC key, make this a new packet
>    type to be prepended to the symmetrically encrypted data

By this, do you mean just write one asymmetrically encrypted-and-signed MAC key at the beginning of the stream, followed by a bunch of records that are only MAC-authenticated with that symmetric key?  

This would appear insecure to me, at least in the case the stream is encrypted to two or more recipients.  Say Alice signs-and-encrypts a stream to Bob and Charlie.  Bob takes Alice’s encrypted-and-signed MAC key record, then uses the same MAC key to construct a completely different stream of actual content (all of whose MAC records verify just fine) and sends it to Charlie, claiming that it’s from Alice.

Maybe this is only a problem in the two-or-more-receivers case, but even if so it makes me nervous.  If PGP had a reputable, non-signing sender-authentication mode for 2-party communication only, then it might make sense for an asymmetric “repudiable authentication record” to be followed by a stream of MAC-authenticated records.  But that seems like a fairly different protocol (or at least a fairly different mode).

> 2. derive the MAC key from the symmetric encryption key, sign it (but
>    do not store it) and make this a new packet type to be prepended
>    (thus saving the asymmetric encryption from #1)
> 3. use an authenticating sym cipher mode with intermediate
>    authentication tags, with the symmetric key asymmetrically signed
>    (like #2)

Assuming I’m correctly understanding that in cases #2 and #3 also just have one asymmetric record at the beginning of the stream, it seems like the same considerations apply as with #1.  Perhaps OK for 2-party repudiable authentication, but not if we need to retain the signed-message semantics that PGP currently provides especially in the multiple-receiver case.