Re: [openpgp] AEAD Chunk Size

Jon Callas <> Thu, 28 February 2019 00:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8EE3D131102 for <>; Wed, 27 Feb 2019 16:03:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n9MphPyam-_F for <>; Wed, 27 Feb 2019 16:03:12 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AC786130EA7 for <>; Wed, 27 Feb 2019 16:03:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=04042017; t=1551312191; bh=vemk2J30kpT+EnAMtN8xMtKaWWUZEoTVKcM1tTnI+Ic=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=P5msR2nSvDsPe4gpTcEMU7ROTxNrxPL3PL4ne17M528fq0lsH9HFe2/yypJYhy2aA 1OPFfQAw7ara4K+PYr3zWXBjZbKTsnIGUE5Ba0IPDmgs3zYel4/kZtyXUDgBsUG5yj 7SuuPdDXJ+sUOjl4kYyDI5vxpgy+oGNQ9VmYOtrAXW8x4WJn854xv79SfA1NZ3r7k2 W8eBL7eF3hBwQ3Vg57xRNOYftYrd9yQ0KZW6FZzM2IWPB4eH9QUYxbyZUVe88yHjzO MEd5tDjEGT/THNfFYz1lcOG6yo7ydUARGawsE/17XqSodzSQz5tQAzuHs8jP/nGS9R l6moEgpjMdPyA==
Received: from [] ( []) by (Postfix) with ESMTPSA id 78C6D2A00C7; Thu, 28 Feb 2019 00:03:11 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Jon Callas <>
In-Reply-To: <>
Date: Wed, 27 Feb 2019 16:03:10 -0800
Cc: Jon Callas <>, Vincent Breitmoser <>, "" <>, "Neal H. Walfield" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <>
To: Bart Butler <>
X-Mailer: Apple Mail (2.3445.102.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-02-27_15:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 mlxscore=0 mlxlogscore=783 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1812120000 definitions=main-1902270155
Archived-At: <>
Subject: Re: [openpgp] AEAD Chunk Size
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Feb 2019 00:03:15 -0000

> On Feb 27, 2019, at 3:00 PM, Bart Butler <> wrote:
> Hi Jon,
> Do I understand correctly that you oppose shrinking the allowable range with MUST at all too? I think the argument for this is fairly convincing from a usage perspective to ensure that someone decrypting a large message is not obligated to download a huge amount of data before finding out that it is corrupted or otherwise has been tampered with. Likewise, we had to address unanticipated performance issues in OpenPGP.js with very small chunks which could have allowed a bad actor to essentially DoS the library with a strangely-constructed message.
> In other words, I'm not really swayed by the implementation simplification argument but I do think that very small or very large chunk size, in addition to *probably* being useless, pose a real threat in terms of abuse.
> So I think having a MUST for the range, maybe 16kiB to 256 kiB, or 16 kiB to 1024 kiB is a reasonable thing to do. And as long as we keep the size byte, we can always increase the upper limit of the range in the future if needed.

My warning is against shooting someone else in the foot, or forcing them to use some other protocol.

Thus, saying (e.g.) that the range MUST be between 1K and 16K is a bad idea; we even know now that 256K has in some cases an efficiency advantage. You can say, MUST support 1K to 16K, SHOULD support up to 256K and MAY support larger sizes. There can also be a couple of paragraphs to explain that there are good reasons neither to be very small nor very large.

My concern is someone saying something like, “Gosh, I’d like to have OpenPGP AEAD encryption for S3 Objects, but I can’t ‘cause those go up to 5TB.” Anyone who’s going to use 5TB objects probably knows the headaches they inherit and yeah, you aren’t going to do that on a Cortex M0.

Does this make sense?