Re: [openpgp] Pull request for AEAD encrypted data packet with GCM
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 15 February 2017 03:34 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78ED81293E1 for <openpgp@ietfa.amsl.com>; Tue, 14 Feb 2017 19:34:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dy5YH9NAL4ji for <openpgp@ietfa.amsl.com>; Tue, 14 Feb 2017 19:34:57 -0800 (PST)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 055C0129436 for <openpgp@ietf.org>; Tue, 14 Feb 2017 19:34:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1487129696; x=1518665696; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Ti3l8usVD8N+xo+0vrrbmbgw2tW6BN+fCa8+Hs1f4P0=; b=vIaqacY7dIKl4qR4F01GZ0J2NTT/aBnsOkT8Ijv1hLZvdS4bZVhdOwRI 8DEI445I0T+Pu82+P7/bywHzcWhAfIMTnOPZvkMQ9Oaa2q/Pv8dMpzOvV aYOu/JUsQrBSc0ghdZm/XisPa/GhUcrnujQ4Y2+1utl1x6vygiDo2SVmj RzTmAn+bhkgBiJkaKNP9IgqCYBDN0ygxLXgCRld/Z/84HDQj9SlhwU5cN 9hmCXnQoFf8rZzqEkRfmaLU8wVV/CfxVB3Cv6+DUzYMOlQOzjHbLs25Ni IcmidABfr80Y2V3FeIJa8SsNiV562d1e+k5E711LdCH51hVghM7Zyjw2C A==;
X-IronPort-AV: E=Sophos;i="5.35,164,1483959600"; d="scan'208";a="135227464"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.4 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-c.UoA.auckland.ac.nz) ([10.6.2.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 15 Feb 2017 16:34:55 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.4) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 15 Feb 2017 16:34:55 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Wed, 15 Feb 2017 16:34:55 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Jon Callas <joncallas@icloud.com>, "brian m. carlson" <sandals@crustytoothpaste.net>
Thread-Topic: [openpgp] Pull request for AEAD encrypted data packet with GCM
Thread-Index: AQHShZWCI87Yb3MUEEORMG27g756BKFm2PqAgAKRNDc=
Date: Wed, 15 Feb 2017 03:34:55 +0000
Message-ID: <1487129690833.78775@cs.auckland.ac.nz>
References: <20170213010658.xmzo7yfgki2hqw42@genre.crustytoothpaste.net>, <CE43260E-D723-4B00-9E81-B5F81142121F@icloud.com>
In-Reply-To: <CE43260E-D723-4B00-9E81-B5F81142121F@icloud.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/fsxXaDD3SkZuktQ7yl22jHioDKw>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Subject: Re: [openpgp] Pull request for AEAD encrypted data packet with GCM
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2017 03:34:59 -0000
Jon Callas <joncallas@icloud.com> writes: >I'll request that another mode than GCM be used. In particular, I disagree >with it being "uncontroversial." It's the most controversial mode you could >pick. +1. However the adjective I'd use for GCM is most trendy, not necessarily most controversial. It's the mode you use without thinking about it because... um, because everyone says its cool. Like MongoDB, or Go, or Angular.js, or Bimodal IT. >GCM is very brittle. It breaks in very bad ways if you aren't careful with >nonces/tags. There are many cases of people misusing it and getting worse >than no security. I state that because if you *think* you're getting >authenticated data, but it's actually been altered in transit, and that will >likely cause issues in the receiving state machine. +1 again. You can take something like AES-CBC + HMAC and abuse it as much as you want, e.g. by memsetting the IV to all zeroes on each block, and at most you degrade to ECB, with no effect on the MAC's security. OTOH do that with a single IV in GCM (== CTR) mode (so you get a repeated IV) and you get a catastrophic loss of security. CTR is RC4 all over again. >Furthermore, the multiply in GHASH is slow in software. Again, and at the risk of sounding like the Callas fan club... GCM is a dangerously easy to misuse encryption mode paired with a slow, also failure-prone MAC. If you want a minimal-fuss AEAD mode, just turn the current encryption into encrypt-then-MAC. It's a very minimal change, append an HMAC to the end of the existing encrypted data. >I think that GCM is actually controversial and dangerous for generic use. Not sure about controversial since it's so trendy that most people don't think about it but just use it, but it's certainly too dangerous for general use. Peter.
- [openpgp] Pull request for AEAD encrypted data pa… brian m. carlson
- Re: [openpgp] Pull request for AEAD encrypted dat… Jon Callas
- Re: [openpgp] Pull request for AEAD encrypted dat… Stephen Farrell
- Re: [openpgp] Pull request for AEAD encrypted dat… brian m. carlson
- [openpgp] [PATCH] Add AEAD Encrypted Data Packet … brian m. carlson
- Re: [openpgp] Pull request for AEAD encrypted dat… Jon Callas
- Re: [openpgp] Pull request for AEAD encrypted dat… Jon Callas
- Re: [openpgp] Pull request for AEAD encrypted dat… brian m. carlson
- Re: [openpgp] Pull request for AEAD encrypted dat… Werner Koch
- [openpgp] Questions around AEAD packets Werner Koch
- Re: [openpgp] Questions around AEAD packets Tom Ritter
- Re: [openpgp] Questions around AEAD packets Werner Koch
- Re: [openpgp] Pull request for AEAD encrypted dat… Peter Gutmann
- Re: [openpgp] Questions around AEAD packets Derek Atkins