IETF Logo Mail Archive

Re: [openpgp] AEAD Chunk Size

Derek Atkins <derek@ihtfp.com> Fri, 12 April 2019 13:37 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECCE9120641 for <openpgp@ietfa.amsl.com>; Fri, 12 Apr 2019 06:37:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-xejLCo_872 for <openpgp@ietfa.amsl.com>; Fri, 12 Apr 2019 06:37:12 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C844C1204C3 for <openpgp@ietf.org>; Fri, 12 Apr 2019 06:37:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 438D0E2044; Fri, 12 Apr 2019 09:37:08 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 01265-01; Fri, 12 Apr 2019 09:37:04 -0400 (EDT)
Received: from securerf.ihtfp.org (99-46-190-172.lightspeed.tukrga.sbcglobal.net [99.46.190.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (not verified)) by mail2.ihtfp.org (Postfix) with ESMTPS id 8CA6FE2042; Fri, 12 Apr 2019 09:37:04 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1555076224; bh=izzzJr6Vp8hFUt3ODSs4lwmiRgIX75niPPpzPMjs6Jk=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=rSJK9x1XH8pnQvW7yB4hZASdA1MkikSNWHGFuw0ti4vdfjaOifwLirUAsO3JgJvwY kaf5tQN0R7zQdFV3H3IsBKql0G5pxd6JF6qQQnWT/nCQIhAILzUcLe86qCIxEj5WAC pd8qQ4vl3n/6MZwkTyE5iLhAyoKdkoTCWNL1HO6k=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.15.2/Submit) id x3CDb0Uu004558; Fri, 12 Apr 2019 09:37:00 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org>
Cc: openpgp@ietf.org
References: <87mumh33nc.wl-neal@walfield.org> <878swzp4fb.fsf@europa.jade-hamburg.de> <E65F6E9D-8B0B-466D-936B-E8852F26E1FF@icloud.com> <ea6da6cb-08c1-fabd-038b-53d6d6aeb366@ruhr-uni-bochum.de>
Date: Fri, 12 Apr 2019 09:36:58 -0400
In-Reply-To: <ea6da6cb-08c1-fabd-038b-53d6d6aeb366@ruhr-uni-bochum.de> (Marcus Brinkmann's message of "Fri, 29 Mar 2019 00:58:30 +0100")
Message-ID: <sjm36mnuyyt.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/cI0pyo1RZ3Gdr0Iomlc3Arw7SEg>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 13:37:15 -0000

 [ Coming back to this late after traveling for a while.  My apologies if I
am re-opening wounds... ]

Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org>
writes:

> The main question here is: What should a conforming application look like?
>
> The current behaviour of GnuPG is that it will process internally (e.g.,
> through the decompression and signature verification layer) and output
> externally unauthenticated plaintext.  If an AEAD chunk is modified by
> an attacker, GnuPG will detect the modification and cancel the
> operation, but only at the end of each chunk.  Due to the asynchronous
> buffer management in GnuPG, quite often some part of the modified chunk
> has then already been processed and output, depending on the particular
> state of the buffers, the buffer size and the chunk size.  This
> behaviour increases the surface for chosen ciphertext attacks and
> possibly adaptive chosen plaintext attacks (if an oracle is exposed).

In my mind, this sounds like the implementation is broken.  If it
releases AEAD plaintext before the end of the AEAD chunk then it is
non-conforming and should be considered broken.

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email