Re: [openpgp] AEAD Chunk Size

Nickolay Olshevsky <o.nickolay@gmail.com> Tue, 19 March 2019 18:58 UTC

Return-Path: <o.nickolay@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBBE11314D1 for <openpgp@ietfa.amsl.com>; Tue, 19 Mar 2019 11:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7qqPRykvocLu for <openpgp@ietfa.amsl.com>; Tue, 19 Mar 2019 11:58:30 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ABD51314D3 for <openpgp@ietf.org>; Tue, 19 Mar 2019 11:58:30 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id s15so9623wra.12 for <openpgp@ietf.org>; Tue, 19 Mar 2019 11:58:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Lgo58S3D8Tp6f6IJgW/OzoKUUQd9HyL8TMUzG/eA5Mc=; b=A5aIHT+62cBS0Qdp8aCw+0hP0w8JH1Bc+7dNYVY60s5fAVTbRylEMr5nzVrzuPzupY nvqqykslVDDOdr189l+oc4OKyKDscs7T8lbMx4hymEZY4zlU9qvDFUJ9MjTfrrp0TgM9 SRz/eNLpDODNK16iBsn9PihFYq/76hHGvjBsQ1wgh0PZSwC5JJRBN3PNhFbs+Pk0bZM2 W9emlHDRthBXtm1O79c17ylJHlkAh7im5JHAh8R3qfWE9KS6D9+vPR5P9TpV8ehGS5YF tc3WG/UtHPsvxrsTUyulKqYl0ZdK32MIinniZOjl7LyiAQ1IjgUyBfPFo3fIT/gJiGAp u8Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:mime-version:subject:from:in-reply-to :date:cc:content-transfer-encoding:message-id:references:to; bh=Lgo58S3D8Tp6f6IJgW/OzoKUUQd9HyL8TMUzG/eA5Mc=; b=g0rsFSlCsG5M2R0QKdgGzVBU5lOUN1GZx2MBriiutmzppPSpTnsupPYVMXDhiqPmKB Wbvbme6MXJ3mjEAYPUEFNqaV9tJvLDrOtkVz+Ge1YP0PdIGjVQvigwSSkChOOzSJRxgM D/EFGJBMf26/YGTjyRFGpqSQOAfixfV/uurPVyN3/CsmrbCDHSUbyTW3HjZWa5XWzo3E uDYXTguSRDROFaWR5kcr6cuZ62qdm2ASUe+tM8p7gxz8vEtN4KSN7onyebQ5YnlDxRbY cJM/O9R5kRQlWM97C7FjQTmJL8NaWoyo9gvWnRNVRtriDrM62QJqnycZ1MgSo4kCykfB ZYEg==
X-Gm-Message-State: APjAAAWg6bgdCXuENvMWv5hiJbiUppOgRNIByBJIFiL5vFTIMrvxffLX hcW7y6hMVbuK7+WiaSiJNJT4BdTl
X-Google-Smtp-Source: APXvYqy47VygdsrYpuhJrP45wp9cKiZ4ryfeTUEsGjFzu/0dh6+IqcVSZ97T+V9h4s/nAtyQqTMS1w==
X-Received: by 2002:adf:fb82:: with SMTP id a2mr9262613wrr.214.1553021908928; Tue, 19 Mar 2019 11:58:28 -0700 (PDT)
Received: from [192.168.1.11] ([134.17.139.150]) by smtp.gmail.com with ESMTPSA id t15sm9996072wrr.16.2019.03.19.11.58.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Mar 2019 11:58:28 -0700 (PDT)
Sender: Nickolay Olshevsky <dark.ni4@gmail.com>
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Nickolay Olshevsky <o.nickolay@gmail.com>
In-Reply-To: <87lg1a3fcl.wl-neal@walfield.org>
Date: Tue, 19 Mar 2019 21:57:56 +0300
Cc: IETF OpenPGP <openpgp@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EEB7BE70-C07C-41B1-999D-F45E61ABFD2E@gmail.com>
References: <87d0n174w6.fsf@wheatstone.g10code.de> <87mumh33nc.wl-neal@walfield.org> <3GFS71V7BTJNZ.29C5TO8OY0O44@my.amazin.horse> <sjmy35isypu.fsf@securerf.ihtfp.org> <87r2bax5u2.wl-neal@walfield.org> <sjmlg1hskdq.fsf@securerf.ihtfp.org> <87pnqtwot9.wl-neal@walfield.org> <87y35hy2i0.fsf@wheatstone.g10code.de> <87k1h0we7w.wl-neal@walfield.org> <87va0g65ht.fsf@wheatstone.g10code.de> <87va0gioae.wl-neal@walfield.org> <431ea8fdaca6b3d20e19cfe2a14f6c96.squirrel@mail2.ihtfp.org> <87mulsi7ms.wl-neal@walfield.org> <sjmpnqmrg1b.fsf@securerf.ihtfp.org> <87lg1a3fcl.wl-neal@walfield.org>
To: "Neal H. Walfield" <neal@walfield.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/NIilCmwdSi7P2TV9yyCF0GsOSpM>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 18:58:41 -0000

Hi Neal & others,
Tried to follow the discussion as much as possible, but probably missed some pages.

Independent on chunk size, we get to the issue of large message transfer, which in practice is used widely (large corporations, banks, media companies, whatever else).
The case with small chunk size and damaged last chunk is actually (almost) the same as the case with the single large chunk - you output, say, 20GB of data and then realize that it is broken. The same would happen with streamed transfer of large signed objects.

If you have data stored in file/memory/database you may first check it, and then decide whether it is ok or not, spending resources on two passes.
But while streaming large amounts of data which doesn’t fit to memory there is no choice - you still need to process it in smaller blocks, without guarantee that error will not come later on. Underlying compression or other known data structure comes in handy - it will serve as additional layer of security (not 100% of course) for transmission errors or transfer intervention.
In any case you first output a load of data and then must discard it.

So, my opinion is that we may leave things as they are, or just extend with recommendations based on performance. 
Given the fact that now not 100% of implementations support AEAD even partially.


> On Mar 19, 2019, at 21:10, Neal H. Walfield <neal@walfield.org> wrote:
> 
> Hi Derek,
> 
> Thanks for your analysis.  I think the AEAD chunking algorithm is
> sound, if it is used correctly.
> 
> My issue is that I don't think it is possible to use the chunking
> algorithm correctly for large chunk sizes.  For instance, what should
> an implementation do if it encounters a chunk size of 16 TB (and there
> really can be >16 TB of data using a small decompression bomb)?
> Should it be allowed to emit unauthenticated plaintext?
> 
> Let's assume that we allow implementations to emit unauthenticated
> plaintext for large chunk sizes.  An attacker who intercepts a message
> can change the chunk size to be above this limit.  Now, clearly this
> will fail the authentication check, but we just allowed
> implementations to release the plaintext for large chunk sizes.  So,
> if my analysis and experiments are correct, then using AEAD will never
> provide ciphertext integrity for the first chunk against an active
> attacker.
> 
> Let's assume that we don't allow implementations to ever emit
> unauthenticated plaintext.  Well, if they encounter a large chunk that
> they can't buffer, they MUST fail.  Ouch!  User's will work around
> that and implementations will help.  (As I've pointed out, one already
> has.  I don't know if it was an oversight.)
> 
> So, my conclusion is, we must prohibit implementations from emitting
> unauthenticated plaintext *and* remove any incentives to do so.  For
> me, this means a small, fixed chunk size.
> 
> 
> Does this clarify my concerns?
> 
> Thanks!
> 
> :) Neal
> 
> At Tue, 19 Mar 2019 12:21:36 -0400,
> Derek Atkins wrote:
>> 
>> Neal,
>> 
>> "Neal H. Walfield" <neal@walfield.org> writes:
>> 
>>> Well, whatever :).  As I understand Werner, he agrees that ciphertext
>>> integrity while streaming is desirable, and, I guess, thinks that is
>>> achievable with the current draft.  I don't think it is possible, and
>>> I've raised a few concerns in my prior mails.  I hope Werner can
>>> address those concerns.
>> 
>> I admit that I have not studied the current draft closely, so my
>> comments might be out of whack, but my expectation is that the AEAD and
>> Chunking are done hand-in-hand.  The chunk metadata (number/size/etc)
>> should be protected by the AEAD.
>> 
>> So let's say you have a message that gets processed as:
>> 
>> [Chunk 1] [Chunk 2] [Chunk 3/final]
>> 
>> In the normal case, the receiver will process Chunk 1, then Chunk 2, and
>> then Chunk 3, and depending on the implementation MAY emit the Chunk 1
>> plaintext (which HAS BEEN AUTHENTICATED) before it processes Chunk 2
>> and/or Chunk 3.
>> 
>> What can an attacker do?
>> 
>> * If they modify the chunk size, the AEAD on that chunk will fail and
>>  therefore the data should not be emitted.  Note that this COULD cause
>>  the receiver to emit Chunk 1 and then "stop".
>> 
>> * If they cause Chunk 3 to disappear, they could get the receiver to emit
>>  Chunks 1 and 2 and then stop with.  But again, Chunk1 and Chunk2 are
>>  still authenticated.
>> 
>> * If they cause Chunk 2 to disappear, the numbering will be out of order
>>  and the receiver can emit an error.
>> 
>> * They can insert fake chunks.  Let's say they cause the following:
>>  [Chunk 1] [Chunk 2'] [Chunk 2] [Chunk 3'] [Chink 3/final]
>> 
>>  In this case, the attacker is inserting Chunk 2' and Chunk 3',
>>  claiming to be chunks 2 and 3 respectively.  So the question is, what
>>  happens here?  Well, the chunking here is expecting encryption (at
>>  least I think it should be expecting encryption).  So they would
>>  authenticate Chunk 1 (and possibly emit it), but when processing Chunk
>>  2' they would fail on the AEAD because the attacker doesn't know the
>>  key.
>> 
>>  The chunking should not allow any other type of data here.
>> 
>> Am I missing another attack?
>> 
>> [snip]
>>>> Which implementation?  The sender or the receiver?
>>> 
>>> I'm assuming that the sender is using the best we have to offer, i.e.,
>>> chunked AEAD.
>>> 
>>> I'm assuming that the receiver emits unauthenticated plaintext in some
>>> situations.
>> 
>> In what situations would the receiver emit unauthenticated plaintext?
>> 
>>>> Also, who is the
>>>> attacker?  The Sender?  Or a third party?
>>> 
>>> I'm thinking of something like EFAIL.  So, a third-party attacker who
>>> modifies the ciphertext.
>> 
>> EFAIL was more that that -- it was also leveraging the fact that USERS
>> of OpenPGP would merge the contents of authenticated and
>> non-authenticated data when presented in e.g. a MIME context, such that
>> the processor could not differentiate between the protected and
>> unprotected content.
>> 
>>>> The only attack is a DoS if the end is
>>>> truncated, and the earlier (valid) chunks have already been released.
>>>> 
>>>> In other words, AEAD is used for each chunked block as a single, coherent
>>>> piece.  Also I don't see how an attacker (third party) could leverage this
>>>> at all.  They couldn't change the chunk size enroute.
>>> 
>>> I hacked Sequoia to emit unauthenticated data, and I was able to
>>> change the chunk size and still get the plaintext of at least the
>>> first chunk of a message.  So, my concern is: if a receiving
>>> implementation releases unauthenticated plaintext for large chunks
>>> rather than fail with ENOMEM, then a third-party attacker can change
>>> the chunk size of an intercepted message, and cause the receiver to
>>> process unauthenticated data, even though a small chunk size was
>>> originally used.
>> 
>> Sure, but the first chunk of the message was authenticated when it was
>> emitted.  The SECOND chunk failed, and I bet it stopped processing!
>> 
>> This is what SHOULD happen.
>> 
>>>> Each chunk is either
>>>> authenticated, or an error occurs.  On error, it wouldn't be released.
>>> 
>>> The question for me is: what does an implementation do if it can't
>>> buffer the message?  Does it really throw an error?  There already
>>> exists at least one implementation written by an editor listed on
>>> 4880bis that processes unauthenticated plaintext.
>> 
>> I think we have different definitions of unauthenticated plaintext here.
>> 
>> In a chunked message, plaintext is authenticated PER CHUNK.  So once
>> Chunk 1 is processed, it is considered authenticated, and the
>> implementation is free to emit it, even if Chunk 2 fails.
>> 
>> If Chunk 2 fails its AEAD check (but Chunk 1 processed successfully), do
>> you consider the plaintext of Chunk 1 unauthenticated?  If so, why?
>> 
>> -derek
>> 
>> -- 
>>       Derek Atkins                 617-623-3745
>>       derek@ihtfp.com             www.ihtfp.com
>>       Computer and Internet Security Consultant
>> 
>> _______________________________________________
>> openpgp mailing list
>> openpgp@ietf.org
>> https://www.ietf.org/mailman/listinfo/openpgp
>> 
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp