Re: [openpgp] AEAD Chunk Size

Conrado P. L. Gouvêa <conradoplg@gmail.com> Tue, 02 April 2019 12:50 UTC

Return-Path: <conradoplg@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 420541200FF for <openpgp@ietfa.amsl.com>; Tue, 2 Apr 2019 05:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.02
X-Spam-Level:
X-Spam-Status: No, score=-1.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7odZ09i98nan for <openpgp@ietfa.amsl.com>; Tue, 2 Apr 2019 05:50:25 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B97DF1200FE for <openpgp@ietf.org>; Tue, 2 Apr 2019 05:50:25 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id u15so289201ybj.13 for <openpgp@ietf.org>; Tue, 02 Apr 2019 05:50:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wVu2HuH4s9JU8zvnJQADKlKs0FwPZI0PydfYeJgiSRU=; b=YIxe/ZDF0M6mAHoRcGJNsuOO6Ui53mnrS5Ym4gTcw34RnnKnWzqTSpjj+Q+PBDPoqd eIR03ClkkNWY69ekkETW3jIcbLTJ6a8MoX8pW8z4u/Di64RiULG1EynATIehnHWC58Km tONmXcT9bMK0cs9IKJ4roPFWqFDcREJSGyyC1qT5bGjaJisHhsw3IU1ZRGxCI7JTwazq 2GThuFol7meyXckTg6C41bRYEpOjLU+rKfVtYcWAah8B7q4ohXSgbtA5qD7dLT4klM3W RxrREaoUtejhMjgCnJg2wHopCkdJ/HsjdlhTKA3eptYwT3eCTjjFeVRpGvAtIDbo1QF1 04eA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wVu2HuH4s9JU8zvnJQADKlKs0FwPZI0PydfYeJgiSRU=; b=WFZLKyqcokai0Sai5j7/SAYEz6k3Az7J805HMe9mm15I1Rw3kMdbiuuOjuqK8OeY7M 7HrnjMLsn5aZwpHf7Fd+L8wsGOJKsZCE7C4E8uuAQ/Uutq5YNGqc3/zn1DZF3mKu9vFN qbAcupn3XgzA8frpfZTFytXa8OHAtLudcxLIzO2mohsKeyh8JZY1KgAjvkRxFYnQDqRo Vx/6+AEiVVqd74Qd1oKesn7Y4zLXwG6+JI+uCu98zmRD/gNUl5/Znfz3FUDgzSA9RsV5 EjE+kiC69uaqwUoim5bnbKmctmznUBZrkygF7fMrzbYT2EXoNmv86WEsImyMwfTZinfB jasg==
X-Gm-Message-State: APjAAAW7Zz+jdkZF59u/hP9UIqZx4JK/ESr43p+xQJm6+NonYzIi1Tqt tBfNGxeqniUVyEQ8Gt2Ox7K+tADB7eGt/An8T1M=
X-Google-Smtp-Source: APXvYqwR/j0P7DtrRn+OzZndrZis2baGydM7HDo+ufok5zoGAmaDEWN/R070xj7BZt/PGE6ipHxXx4Ip1f429QtUk3c=
X-Received: by 2002:a25:7492:: with SMTP id p140mr15356011ybc.394.1554209424807; Tue, 02 Apr 2019 05:50:24 -0700 (PDT)
MIME-Version: 1.0
References: <87mumh33nc.wl-neal@walfield.org> <878swzp4fb.fsf@europa.jade-hamburg.de> <E65F6E9D-8B0B-466D-936B-E8852F26E1FF@icloud.com> <87d0m9hl62.wl-neal@walfield.org> <1553867007783.37940@cs.auckland.ac.nz>
In-Reply-To: <1553867007783.37940@cs.auckland.ac.nz>
From: =?UTF-8?B?Q29ucmFkbyBQLiBMLiBHb3V2w6ph?= <conradoplg@gmail.com>
Date: Tue, 2 Apr 2019 09:50:12 -0300
Message-ID: <CAHTptW8F=hfmV66rbD6+6XtMeeLdh=+Ja+favYea2bzz0ZUDPA@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "Neal H. Walfield" <neal@walfield.org>, "openpgp@ietf.org" <openpgp@ietf.org>, Justus Winter <justuswinter@gmail.com>, Jon Callas <joncallas@icloud.com>, Jon Callas <joncallas=40icloud.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/P2Y1pkz70_n76o2PjaPMLxXY8K8>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 12:50:28 -0000

(Sorry, I'm a lurker in this group, but wanted to chime in...)

On Fri, Mar 29, 2019 at 10:45 AM Peter Gutmann
<pgut001@cs.auckland.ac.nz> wrote:
> That was due to broken email apps.  If I can convince your email app to
> forward the plaintext of a decrypted message to me, you lose no matter what
> encryption mechanism you use.
>
> Admittedly CBC/CFB made this easier, but it was the email apps that needed
> fixing, not PGP.

I believe that's not true. The second EFail attack was caused by PGP
allowing removing the MDC or downgrading packets. This would not
happen if PGP handled authentication correctly.

>
> I'm not saying it's not worth addressing, but before endlessly debating
> solutions we need to figure out what problem we're solving.  "We have this
> cool AEAD mode lying around and want to apply it to something" isn't a
> problem, or at least not a problem that a PGP user cares about solving, it's
> something interesting for geeks to play with.
>
> In the last five years or so I've received approximately zero PGP-encrypted
> emails, and I'm one of the people who helped write the thing.  OTOH I've
> probably encrypted gigabytes of data with it, almost always symmetric-key with
> the key communicated out of band.  In none of those cases would blocked auth
> protection have been useful.
>

This whole discussion has nothing to do with AEAD itself. With
"manual" encrypt-then-authenticate, the issue of chunk size and
releasing unauthenticated plaintext is the same.

Even for data at rest: many people store the data in cloud providers,
where it could be tinkered with by attackers.
If the problem is to be resilient to file corruption, then the answer
is error-correcting codes, not ignoring authentication. (Though I
agree that's an important issue that is mostly overlooked in crypto)

Conrado