Re: [openpgp] Need to publish bis-05
Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de> Thu, 26 July 2018 09:01 UTC
Return-Path: <marcus.brinkmann@ruhr-uni-bochum.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C094130E5F for <openpgp@ietfa.amsl.com>; Thu, 26 Jul 2018 02:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ruhr-uni-bochum.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9gMuCT1nM5l for <openpgp@ietfa.amsl.com>; Thu, 26 Jul 2018 02:01:41 -0700 (PDT)
Received: from out1.mail.ruhr-uni-bochum.de (out1.mail.ruhr-uni-bochum.de [134.147.53.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B6B2130F73 for <openpgp@ietf.org>; Thu, 26 Jul 2018 02:01:41 -0700 (PDT)
Received: from mx1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out1.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 41bmLG6J6dz4xXM for <openpgp@ietf.org>; Thu, 26 Jul 2018 11:01:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ruhr-uni-bochum.de; s=mail-2017; t=1532595702; bh=t08P5SYk/8Ln89OX2I4Y751pnj0pcgyjbQW61yg1lLw=; h=Subject:To:References:From:Date:In-Reply-To:From; b=lLm9wvIk/8PUmRvBvANF5FmNzJu6l64dcWYHYzw2QQZ42XCe9to2fH2lmHDn9ndnh rP7e4xU5doXraDTE5+9vOwRpC76qC2oYJaOGHOmTMQM16kI9t+33tcNbJIzx5NzwjA wUQBtCxLMC6KrSrKNhntvGfSsrJMYNnO54rQIl/I=
Received: from out1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx1.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 41bmLG5YX8z4yJp for <openpgp@ietf.org>; Thu, 26 Jul 2018 11:01:42 +0200 (CEST)
X-Envelope-Sender: <marcus.brinkmann@ruhr-uni-bochum.de>
X-RUB-Notes: Internal origin=134.147.42.227
Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [134.147.42.227]) by out1.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 41bmLF3hYCz4yKg for <openpgp@ietf.org>; Thu, 26 Jul 2018 11:01:41 +0200 (CEST)
Received: from [192.168.142.139] (p5B049981.dip0.t-ipconnect.de [91.4.153.129]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 41bmJj2JjCzysB for <openpgp@ietf.org>; Thu, 26 Jul 2018 11:00:21 +0200 (CEST)
To: openpgp@ietf.org
References: <87va95f5q6.fsf@wheatstone.g10code.de>
From: Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de>
Openpgp: preference=signencrypt
Message-ID: <8952ea67-4a6e-95ab-67c2-8d61c3dd2a1f@ruhr-uni-bochum.de>
Date: Thu, 26 Jul 2018 11:00:21 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0
MIME-Version: 1.0
In-Reply-To: <87va95f5q6.fsf@wheatstone.g10code.de>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/aMdBBLba2sq_C_VKjkqh5_5iwMs>
Subject: Re: [openpgp] Need to publish bis-05
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 09:01:46 -0000
The new wording for the AEAD chunk size makes it logically impossible to
write a conforming implementation that guarantees to never output or
process unauthenticated plaintext. This is a serious security concern,
which is addressed by state of the art standards like TLS 1.3, and for
which there was rough consensus on this list.
Here is the reason that it is impossible for conforming implementations
to always be secure:
* The draft requires implementations to support chunks up to 4 Exibyte
("An implementation MUST support chunk size octets with values from 0 to
56").
* It is impossible to buffer 4 Exbyte on any device or system that is
not planet-scale.
Thus, any conforming implementation must have a chunk size that must be
supported for which it can not buffer the whole chunk. For that chunk
size, the implementation must either abort (resulting in non-conforming
behaviour) or output unauthenticated data (resulting in non-secure
behaviour).
This is in stark contrast to the original proposal, which had valid
chunk sizes between 64 Byte and 64 KiB, all of which can be supported
securely on a wide range of devices. Multiple people expressed support
for that approach.
On 07/24/2018 09:33 AM, Werner Koch wrote:
> Hi
>
> -04 is about to expire. These will be the changes in -05:
>
> --8<---------------cut here---------------start------------->8---
> ** New key flag:
>
> # The second octet:
>
> + 0x04 - This key may be used as an additional decryption subkey (ADSK).
>
> # The idea is that implementations will also encrypt to a second subkey
> # which for example is used on a second device. I am not sure whether
> # this is suitable solution and makes much sense so this is intended as a
> # bait for discussion.
>
> ** Deprecation of Symmetrically Encrypted Data Packet
>
> + This packet is obsolete. An implementation MUST not create this
> + packet. An implementation MAY process such a packet but it MUST
> + return a clear diagnostic that a non-integrity protected packet has
> + been processed. The implementation SHOULD also return an error in
> + this case and stop processing.
>
> ** Limit the chunk size of AEAD packets:
>
> An implementation MUST support chunk size octets with values from 0 to
> 56. Chunk size octets with other values are reserved for future
> + extensions. Implementations SHOULD NOT create data with a chunk size
> + octet value larger than 21 (128 MiB chunks) to facilitate buffering of
> + not yet authenticated plaintext.
>
> ** Explict warning reading the AEAD IV:
>
> A new random initialization vector MUST be used for each message.
> + Failure to do so for each message will lead to a catastrophic failure
> + depending on the used AEAD mode.
>
> ** More pressure to use AEAD:
>
> - This attack can be defeated by the use of Modification Detection,
> + This attack can be defeated by the use of modification detection,
> provided that the implementation does not let the user naively
> - return the data to the attacker. An implementation MUST treat an MDC
> - failure as a security problem, not merely a data problem.
> -
> - In either case, the implementation MAY allow the user access to the
> - erroneous data, but MUST warn the user as to potential security
> - problems should that data be returned to the sender.
> + return the data to the attacker. The modification detection is
> + prefereabble implemented by using the AEAD Encrypted Data Packet
> + and only if the recipients don't supports this by use of the
> + Symmmetric Encrypted and Integrity Protected Data Packet. An
> + implementation MUST treat an authentication or MDC failure as a
> + security problem, not merely a data problem.
> +
> + In either case, the implementation SHOULD NOT allow the user
> + access to the erroneous data, and MUST warn the user as to
> + potential security problems should that data be returned to the
> + sender.
>
> and changed the following suggestion to read
>
> permits someone to trick a user to decrypt a message. Consequently,
> it is important that:
>
> 1. Implementers treat authentication errors, MDC errors,
> decompression failures or no use of MDC or AEAD as security
> problems.
>
> 2. Implementers implement AEAD with all due speed and encourage
> its spread.
>
> 3. Users migrate to implementations that support AEAD
> encryption with all due speed.
>
>
> ** Clarify / cleanup OCB section, add EAX and OCB test vectors
> --8<---------------cut here---------------end--------------->8---
>
>
> See also git@gitlab.com/openpgp-wg/rfc4880bis
>
>
> Shalom-Salam,
>
> Werner
>
>
> --
> # Please read: Daniel Ellsberg - The Doomsday Machine #
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
>
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>
- [openpgp] Need to publish bis-05 Werner Koch
- Re: [openpgp] Need to publish bis-05 Hanno Böck
- Re: [openpgp] Need to publish bis-05 Werner Koch
- Re: [openpgp] Need to publish bis-05 Marcus Brinkmann
- Re: [openpgp] Need to publish bis-05 brian m. carlson
- Re: [openpgp] Need to publish bis-05 Benjamin Kaduk
- Re: [openpgp] Need to publish bis-05 brian m. carlson
- Re: [openpgp] Need to publish bis-05 Benjamin Kaduk