Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?

Nils Durner <ndurner@googlemail.com> Wed, 10 February 2016 21:53 UTC

Return-Path: <ndurner@googlemail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BA691B305D for <openpgp@ietfa.amsl.com>; Wed, 10 Feb 2016 13:53:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3w0Y8F06iUFV for <openpgp@ietfa.amsl.com>; Wed, 10 Feb 2016 13:53:04 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F04AC1B29F9 for <openpgp@ietf.org>; Wed, 10 Feb 2016 13:53:03 -0800 (PST)
Received: by mail-wm0-x22e.google.com with SMTP id g62so45442917wme.0 for <openpgp@ietf.org>; Wed, 10 Feb 2016 13:53:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=6KE7APqyRwbxjLpVOmaS/qY/iy/ntWOnGMxBQprddhw=; b=bCT3csvQBAhQzbJZQE6i6xOh7lOJrjih3+xGe6DdHnvd6LQlW43TeqTxMGhh2QvdWz DlH9VrC/oFr8Hq5Rc5fzuKXQsnqUbCsdkzoSrz6EppHstaW7476MgL3c638UWrlh7UoP Ea6arBJIug1sZZPruacTNgNycskNmU2g9QYSYAkK1k623k9J6yePAWS0Ypmvf0Qu1G/1 QwIH6o0NZrewvB+FPRgNei9w+VftRT5FHrh0pXiMN9qFTDDmmYX5AlqHFnwnN5PrSeo5 1iyM8jcIprR1YEQWc4I2YbcgspRR8/rokVuMpMtYEyeingB8UYq663oTIPIq7BF9L/6W YFyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=6KE7APqyRwbxjLpVOmaS/qY/iy/ntWOnGMxBQprddhw=; b=PRHHGimQOYkD/SPC/j7AO9G3Mbyr9/TPwoL/y4kXfyEtS3m5B97KeANBnXBUdRwpif TJLLvxg/TA9P+P2bdqJjlC2TGZtWv8JjZhXns3ieZjjhJ/fl579l6Eg5goj6ivdp4IKx qdGsosJvihRw3md+xCir/brSZanbgJH/Smjm8wF75yqpxVk+d1LVcOO3qVe5ioqYzA6L SRrOPpAvyywHNDyxyg9mKvSoJV43Z+CCqd9txBV9+QOOa3KxTgMUochVgtnZQazlHWdB TkhCT1K0BIQTgtG4CPIjXXYMjG9Ti1Bm3XbrvZLc+eBE8maO/SvRewK9d7kRQG2F0Xsg ygyA==
X-Gm-Message-State: AG10YOSmrIbff/z9+CPOWsI7L1Wud46UrCniLm430G8/9/VCsCM1+73V06EHYO9TM4ghYQ==
X-Received: by 10.28.60.84 with SMTP id j81mr13906893wma.91.1455141182411; Wed, 10 Feb 2016 13:53:02 -0800 (PST)
Received: from [192.168.188.20] (x590cf192.dyn.telefonica.de. [89.12.241.146]) by smtp.googlemail.com with ESMTPSA id v191sm5184419wme.1.2016.02.10.13.52.59 for <openpgp@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Wed, 10 Feb 2016 13:53:00 -0800 (PST)
To: openpgp@ietf.org
References: <87twp91d8r.fsf@alice.fifthhorseman.net> <CAM_a8Jy-ZoGJ3qTgN5PFA2ZKnbtSy5GWhWhUeF2NHYgWUQ0zYA@mail.gmail.com> <3A98EA92-0C2F-46A7-8D06-880FC83CB110@gmail.com>
From: Nils Durner <ndurner@googlemail.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56BBB13B.3000507@googlemail.com>
Date: Wed, 10 Feb 2016 22:52:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <3A98EA92-0C2F-46A7-8D06-880FC83CB110@gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/NPtoazueXeA5luPDPu-iArEy1xc>
Subject: Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 21:53:05 -0000

Hi,

> To be clear, there are two separate use-cases, each of which make
> sense without the other and require different technical solutions (but
> could also make sense together):
>
> 1. Streaming-mode integrity protection:
>
> [...]
>
> To achieve goal #1 properly, it appears that what we need is not only
> a MAC per chunk but a signature per chunk.

Different ideas:

 1. asymmetrically encrypt and sign the MAC key, make this a new packet
    type to be prepended to the symmetrically encrypted data
 2. derive the MAC key from the symmetric encryption key, sign it (but
    do not store it) and make this a new packet type to be prepended
    (thus saving the asymmetric encryption from #1)
 3. use an authenticating sym cipher mode with intermediate
    authentication tags, with the symmetric key asymmetrically signed
    (like #2)


> 4. What are reasonable upper- and lower-bounds for chunk sizes, and
> what are the considerations behind them? 

... or put differently in light of idea #3: at what intervals would
authentication tags ideally be generated?


Best regards,

Nils