Re: [openpgp] AEAD Chunk Size

["Neal H. Walfield" <neal@walfield.org>]

On Thu, 14 Mar 2019 15:06:15 +0100,
Werner Koch wrote:
> On Thu, 14 Mar 2019 14:47, neal@walfield.org said:
> 
> > Are you arguing like Werner that catching transmission errors is
> > enough and that we shouldn't bother with ciphertext integrity?
> 
> I never said this.

I was referring to this:

  On Fri, 01 Mar 2019 15:50:15 +0100,
  Werner Koch wrote:
  > Let me repeat it again: The chunking was introduced for just one
  > purpose: To be able to detect rare transmission errors earlier than at
  > the end of the message.


> My point was that you are discussing a certain
> programming pattern on how to implement AEAD modes and I remarked that
> the OpenPGP standard is about a protocol and not an implementation.

I agree that the OpenPGP standard is about a protocol.  My suggestions
are about fixing a security hole in the proposed protocol.

> BTW, OpenPGP provides ciphertext integrity for more than 15 years.

But not for streaming, which is what this discussion is about.

> Experience showed that transmission errors are the major cause for false
> MDC triggered alarms.  We want to detect them earlier and not only at
> the end of the transmission to support real world use cases.  The move
> from CFB+SHA1 to OCB can also be seen in the light of required
> performance improvements.

Performance concerns are secondary to security concerns.  But anyway,
your argument that large chunks are a sensible choice for large pipes
makes no sense, because the protocol doesn't require the
implementation to release chunks as soon as they are authenticated;
they can be buffered.