Re: [openpgp] AEAD Chunk Size

Werner Koch <wk@gnupg.org> Tue, 19 March 2019 07:35 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1711311EF for <openpgp@ietfa.amsl.com>; Tue, 19 Mar 2019 00:35:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LbJWX47yLQXs for <openpgp@ietfa.amsl.com>; Tue, 19 Mar 2019 00:35:10 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACF3F1311EB for <openpgp@ietf.org>; Tue, 19 Mar 2019 00:35:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gSiHJNFmRdTeDQzkex1BJdfOMgQOBShGSvBDHOmD+Xo=; b=FFNKQmRIFZlJoU269I65gTgCU3 9e2BfDN3kTIxGYviCpmHziHBt5i/rD1tdCA9RVaFASnakW+6xOejcJse4xwD2GkwCnh6k7S6G54Jj 2JXpOpMgImm/e38q2YDGENEVkMJRPRng7wRgH2btKLAejdTG59BeAdpqQ1USlCg/WffY=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1h69HB-0004qf-Fh for <openpgp@ietf.org>; Tue, 19 Mar 2019 08:35:09 +0100
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1h69CZ-000562-6H; Tue, 19 Mar 2019 08:30:23 +0100
From: Werner Koch <wk@gnupg.org>
To: Bill Frantz <frantz@pwpconsult.com>
Cc: openpgp@ietf.org
References: <r480Ps-10143i-149CE78B9B3A43A29B3D767B6660A08D@Williams-MacBook-Pro.local>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: Bill Frantz <frantz@pwpconsult.com>, openpgp@ietf.org
Date: Tue, 19 Mar 2019 08:30:22 +0100
In-Reply-To: <r480Ps-10143i-149CE78B9B3A43A29B3D767B6660A08D@Williams-MacBook-Pro.local> (Bill Frantz's message of "Mon, 18 Mar 2019 14:11:41 -0700")
Message-ID: <87r2b348z5.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=Mahmoud_Ahmadinejad_dictionary_PPP_rhost_COSMOS_Cartel_de_Golfo_NATI"; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/SWf6eJKGhXrDbj8tTMPJHVIV4gU>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 07:35:13 -0000

On Mon, 18 Mar 2019 14:11, frantz@pwpconsult.com said:

> To protect against truncation attacks you can borrow an idea from the
> database people and not commit your changes until you have a complete
> message.

Right.  And you need to do that anyway because authenticated encryption
doesn't tell you anything about the origin of the message and thus you
need to check the signature of the message after it has been completely
decrypted (at least with OpenPGP and CMS).  Anyone can send malicious
content and AE doesn't protect against processsing such content.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.