Re: [openpgp] AEAD Chunk Size

Bart Butler <bartbutler@protonmail.com> Sat, 30 March 2019 02:18 UTC

Return-Path: <bartbutler@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 238A4120090 for <openpgp@ietfa.amsl.com>; Fri, 29 Mar 2019 19:18:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MgWEHNgs3tjl for <openpgp@ietfa.amsl.com>; Fri, 29 Mar 2019 19:18:02 -0700 (PDT)
Received: from mail-40132.protonmail.ch (mail-40132.protonmail.ch [185.70.40.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13EAF12006A for <openpgp@ietf.org>; Fri, 29 Mar 2019 19:18:02 -0700 (PDT)
Date: Sat, 30 Mar 2019 02:17:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1553912279; bh=Bbw46eNaDo0Id7afYPNU73BhzH6J6Rdo1A9yn+rKUak=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=cUvvtEhZHr4INKcpvyGYrd2+nLQL5OI92XVfT2DKJXVGTLUNL9tq018r3Mut3jo5B /ptOb7agmWVLVpCQOrJryXnN7K8Gm+7G29ZUfAir1OFMFBIcHH9auuZliZDPj3DgTp fi8IZA+3s6twGyN6x7qC47Zilai63S1UqOop1QSU=
To: Jon Callas <joncallas=40icloud.com@dmarc.ietf.org>
From: Bart Butler <bartbutler@protonmail.com>
Cc: "Neal H. Walfield" <neal@walfield.org>, "openpgp@ietf.org" <openpgp@ietf.org>, Justus Winter <justuswinter@gmail.com>, Jon Callas <joncallas@icloud.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Reply-To: Bart Butler <bartbutler@protonmail.com>
Message-ID: <2di2bK8m-7HtDeoUEH9oPqs-bL-IKSE0CjkgFShPMLOlUyeDBVkVGApdjnIpS6YRAeKU3ibGCZCtwLden-N6zK5W4fqIghRGDa5dU720nEs=@protonmail.com>
In-Reply-To: <FEE9711C-3C64-493C-8125-89696B882E0A@icloud.com>
References: <87mumh33nc.wl-neal@walfield.org> <878swzp4fb.fsf@europa.jade-hamburg.de> <E65F6E9D-8B0B-466D-936B-E8852F26E1FF@icloud.com> <87d0m9hl62.wl-neal@walfield.org> <FEE9711C-3C64-493C-8125-89696B882E0A@icloud.com>
Feedback-ID: XShtE-_o2KLy9dSshc6ANALRnvTQ9U24aqXW2ympbGschdpHbU6GYCTUCtfmGhY9HmOyP1Uweyandwh1AVDFrQ==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="---------------------8742fc61603bbff7f35b1fcf95e6a382"; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/OvHNiGSHk5tQ5nYCcck1kRX-PX4>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2019 02:18:06 -0000

Hi Jon,

As others have noted, there is a lot of confusion on this thread, some of which you touched in your AEAD Conundrum message, like when we say AEAD should not release unauthenticated plaintext, do we mean the entire message or the chunk?

Another piece of confusion is that Efail isn't a single vulnerability, it was several vulnerabilities related (at best) thematically.

So to be very specific, for the purpose of the following discussion, the advantage of smaller AEAD chunks is specifically to prevent Efail-style ciphertext malleability/gadget attacks, and the prohibition on releasing unauthenticated plaintext is applied to individual chunks, which is sufficient to foil this kind of attack in email.

The kind of attack we are talking about is fundamentally about exfiltration of plaintext data to an attacker-controlled endpoint. Borrowing from your AEAD Conundrum message, if the first chunk passes and is released, and the second chunk fails, that is OK, at least for email, because the part that was modified (the second chunk) is never released, so you get a truncated message and an error, but the truncated message without the modifications isn't going to exfiltrate itself.

Now if releasing ANY authenticated chunk of a message that hasn't been fully authenticated (in an AEAD sense) is a real problem for your application, I'd argue that you're trying to make AEAD do something it's not suited for and you should enforce this in your application if it applies to you, probably by not streaming.

So to recap, small-chunk AEAD provides specific value in preventing ciphertext malleability/gadget attacks, particularly in HTML email, which is a common use case.

What value does large-chunk AEAD actually provide? What I'm getting from the AEAD Conundrum message is that it's a way for the message encrypter to leverage the "don't release unauthenticated chunks" prohibition to force the decrypter to decrypt the whole message before releasing anything. Why do we want to give the message creator this kind of power? Why should the message creator be given the choice to force her recipient to either decrypt the entire message before release or be less safe than she would have been with smaller chunks?

Coming back to Neal's point, it's really hard to see any sort of value in really large AEAD chunks, because the performance overhead is negligible at that point and the only security 'benefit' that I can see is the encrypter trying to use the spec to force the decrypter to not stream, which does not seem like something at all desirable.

-Bart

P.S. ProtonMail doesn't use V5 keys or the new draft yet, but some users of OpenPGP.js have started using them with 256kB chunks, so we are not arguing on behalf of ourselves for the 256kB chunk size. The proposed language seems more or less OK in this regard, as most implementations will presumably keep 256kB support so these early adopters will not lose interoperability with their messages.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, March 29, 2019 1:42 PM, Jon Callas <joncallas=40icloud.com@dmarc.ietf.org> wrote:

> 

> 

> > On Mar 29, 2019, at 6:20 AM, Neal H. Walfield neal@walfield.org wrote:
> > 

> > > As I mentioned earlier, we really need some data on real-world use cases
> > > rather than hypothesising problematic corner cases that will rarely, if ever,
> > > occur.
> > 

> > Efail occured. Why is that not enough?
> 

> Many of us think that Efail is orthogonal to this problem and consequently while it’s a real issue, as a rationale, it’s lacking.
> 

> You might disagree with us, and I respect that. Nonetheless, I find Efail to be unconvincing. I’d love to debate this further, but do you have another rationale, or it only Efail?
> 

> Jon
> 

> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp