[openpgp] AEAD encrypted data packet with EAX

"brian m. carlson" <sandals@crustytoothpaste.net> Sun, 21 May 2017 23:43 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE8581279EB for <openpgp@ietfa.amsl.com>; Sun, 21 May 2017 16:43:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.699
X-Spam-Level:
X-Spam-Status: No, score=0.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PePgSSBXZFuW for <openpgp@ietfa.amsl.com>; Sun, 21 May 2017 16:43:09 -0700 (PDT)
Received: from castro.crustytoothpaste.net (sandals-1-pt.tunnel.tserv8.dal1.ipv6.he.net [IPv6:2001:470:1f0e:3f1::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D1A61271DF for <openpgp@ietf.org>; Sun, 21 May 2017 16:43:09 -0700 (PDT)
Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id 676C7280AD for <openpgp@ietf.org>; Sun, 21 May 2017 23:43:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1495410188; bh=tXoRJaZwma83i5zBepunxA8tZXsvAAMUrYussmaHBHM=; h=Date:From:To:Subject:From; b=j7zIngyayOVqxDhSyMVGBz4DhM5VKAoeZoI3UjaOj4xEpSlCBoyySHOyxgho4Nbwx C5vEOldlSFf2YyA6VBObBTwu6JGbd4qpWdygUkcNcq/BHGS7Nrb1y2wYDr0W1ZThXB swdbi2qd7iGpXBOM6nsIA3Zhe3O8obEZupVFcfwtL+R9cFXMdpjLlITqj9n7WUsCJW bJl76pMEe8g4ZK9oWSbtOYgyBkLysXYL9L9KU/kE9+eq3Jopv+Ksvo6wsCEZzZVqjL EwKQ6kWG0DMlDT2PRba6zN3FB529DXxZ40DUJv76seQhAIJAQAO41yNXcw/9+xzmKr LTsNV+F1oYOSUHX1wHlIWXYxMtGMJE+zC179NbTb2lFeWfUElG4ROUN2PbhJ+WLN4C FZ+lDmhOJRuqIk1VERg6DWLXCJcpakaBmtMDl7jdDC2+iq7xgbBAgNl8wk+VkoQfyb 0k6PN9D8t4ZGCZXSUzVW0N+CpPORHR6OPXwYfqNR1sZBPR1oSi5
Date: Sun, 21 May 2017 23:43:02 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="vxymbidi4xmqsvb7"
Content-Disposition: inline
X-Machine: Running on genre using GNU/Linux on x86_64 (Linux kernel 4.9.0-3-amd64)
User-Agent: NeoMutt/20170306 (1.8.0)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/KSrrkVHrBU7i-Cr_XmZFyFwzs8E>
Subject: [openpgp] AEAD encrypted data packet with EAX
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 May 2017 23:43:11 -0000

I have a proposed pull request for a streaming AEAD encrypted data
packet using EAX mode[0].  I will send a patch shortly.

EAX is a block cipher mode combining CTR mode and OMAC.  It is similar
to CCM and is considered secure.  It can be easily implemented securely
in a variety of languages using the CBC and CTR modes available in most
cryptographic libraries.

The packet allows for fixed-sized chunks from 64 bytes to 65536 bytes
(or larger) in size and also permits streaming.  It contains truncation
detection at the cost of 16 bytes of buffering.

I retained the AEAD algorithm octet so as not to need to overload one
octet with cipher type and AEAD algorithm.  This allows us to use
something like Poly1305 with both AES and ChaCha20 in the future.

I welcome feedback on this proposal.  If it's determined to be viable,
I'd also like to see adjustments to the SKESK and Secret Key packets to
add AEAD support.

[0] https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/4
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204