IETF Logo Mail Archive

Re: [openpgp] AEAD Chunk Size

"Neal H. Walfield" <neal@walfield.org> Tue, 19 March 2019 18:10 UTC

Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4BB31313BE for <openpgp@ietfa.amsl.com>; Tue, 19 Mar 2019 11:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwO_Bv9MQ-l7 for <openpgp@ietfa.amsl.com>; Tue, 19 Mar 2019 11:10:24 -0700 (PDT)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3065D131160 for <openpgp@ietf.org>; Tue, 19 Mar 2019 11:10:24 -0700 (PDT)
Received: from tmo-106-123.customers.d1-online.com ([80.187.106.123] helo=chu.huenfield.org.walfield.org) by mail.dasr.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <neal@walfield.org>) id 1h6JBs-0004oD-2u; Tue, 19 Mar 2019 18:10:21 +0000
Date: Tue, 19 Mar 2019 19:10:18 +0100
Message-ID: <87lg1a3fcl.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: Derek Atkins <derek@ihtfp.com>
Cc: openpgp@ietf.org, Vincent Breitmoser <look@my.amazin.horse>
In-Reply-To: <sjmpnqmrg1b.fsf@securerf.ihtfp.org>
References: <87d0n174w6.fsf@wheatstone.g10code.de> <87mumh33nc.wl-neal@walfield.org> <3GFS71V7BTJNZ.29C5TO8OY0O44@my.amazin.horse> <sjmy35isypu.fsf@securerf.ihtfp.org> <87r2bax5u2.wl-neal@walfield.org> <sjmlg1hskdq.fsf@securerf.ihtfp.org> <87pnqtwot9.wl-neal@walfield.org> <87y35hy2i0.fsf@wheatstone.g10code.de> <87k1h0we7w.wl-neal@walfield.org> <87va0g65ht.fsf@wheatstone.g10code.de> <87va0gioae.wl-neal@walfield.org> <431ea8fdaca6b3d20e19cfe2a14f6c96.squirrel@mail2.ihtfp.org> <87mulsi7ms.wl-neal@walfield.org> <sjmpnqmrg1b.fsf@securerf.ihtfp.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (Gojō) APEL/10.8 EasyPG/1.0.0 Emacs/24.5 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/jGayDETaRmIw8VJME8u1yz4Enz4>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 18:10:27 -0000

Hi Derek,

Thanks for your analysis.  I think the AEAD chunking algorithm is
sound, if it is used correctly.

My issue is that I don't think it is possible to use the chunking
algorithm correctly for large chunk sizes.  For instance, what should
an implementation do if it encounters a chunk size of 16 TB (and there
really can be >16 TB of data using a small decompression bomb)?
Should it be allowed to emit unauthenticated plaintext?

Let's assume that we allow implementations to emit unauthenticated
plaintext for large chunk sizes.  An attacker who intercepts a message
can change the chunk size to be above this limit.  Now, clearly this
will fail the authentication check, but we just allowed
implementations to release the plaintext for large chunk sizes.  So,
if my analysis and experiments are correct, then using AEAD will never
provide ciphertext integrity for the first chunk against an active
attacker.

Let's assume that we don't allow implementations to ever emit
unauthenticated plaintext.  Well, if they encounter a large chunk that
they can't buffer, they MUST fail.  Ouch!  User's will work around
that and implementations will help.  (As I've pointed out, one already
has.  I don't know if it was an oversight.)

So, my conclusion is, we must prohibit implementations from emitting
unauthenticated plaintext *and* remove any incentives to do so.  For
me, this means a small, fixed chunk size.


Does this clarify my concerns?

Thanks!

:) Neal

At Tue, 19 Mar 2019 12:21:36 -0400,
Derek Atkins wrote:
> 
> Neal,
> 
> "Neal H. Walfield" <neal@walfield.org> writes:
> 
> > Well, whatever :).  As I understand Werner, he agrees that ciphertext
> > integrity while streaming is desirable, and, I guess, thinks that is
> > achievable with the current draft.  I don't think it is possible, and
> > I've raised a few concerns in my prior mails.  I hope Werner can
> > address those concerns.
> 
> I admit that I have not studied the current draft closely, so my
> comments might be out of whack, but my expectation is that the AEAD and
> Chunking are done hand-in-hand.  The chunk metadata (number/size/etc)
> should be protected by the AEAD.
> 
> So let's say you have a message that gets processed as:
> 
> [Chunk 1] [Chunk 2] [Chunk 3/final]
> 
> In the normal case, the receiver will process Chunk 1, then Chunk 2, and
> then Chunk 3, and depending on the implementation MAY emit the Chunk 1
> plaintext (which HAS BEEN AUTHENTICATED) before it processes Chunk 2
> and/or Chunk 3.
> 
> What can an attacker do?
> 
> * If they modify the chunk size, the AEAD on that chunk will fail and
>   therefore the data should not be emitted.  Note that this COULD cause
>   the receiver to emit Chunk 1 and then "stop".
> 
> * If they cause Chunk 3 to disappear, they could get the receiver to emit
>   Chunks 1 and 2 and then stop with.  But again, Chunk1 and Chunk2 are
>   still authenticated.
> 
> * If they cause Chunk 2 to disappear, the numbering will be out of order
>   and the receiver can emit an error.
> 
> * They can insert fake chunks.  Let's say they cause the following:
>   [Chunk 1] [Chunk 2'] [Chunk 2] [Chunk 3'] [Chink 3/final]
> 
>   In this case, the attacker is inserting Chunk 2' and Chunk 3',
>   claiming to be chunks 2 and 3 respectively.  So the question is, what
>   happens here?  Well, the chunking here is expecting encryption (at
>   least I think it should be expecting encryption).  So they would
>   authenticate Chunk 1 (and possibly emit it), but when processing Chunk
>   2' they would fail on the AEAD because the attacker doesn't know the
>   key.
> 
>   The chunking should not allow any other type of data here.
> 
> Am I missing another attack?
> 
> [snip]
> >> Which implementation?  The sender or the receiver?
> >
> > I'm assuming that the sender is using the best we have to offer, i.e.,
> > chunked AEAD.
> >
> > I'm assuming that the receiver emits unauthenticated plaintext in some
> > situations.
> 
> In what situations would the receiver emit unauthenticated plaintext?
> 
> >> Also, who is the
> >> attacker?  The Sender?  Or a third party?
> >
> > I'm thinking of something like EFAIL.  So, a third-party attacker who
> > modifies the ciphertext.
> 
> EFAIL was more that that -- it was also leveraging the fact that USERS
> of OpenPGP would merge the contents of authenticated and
> non-authenticated data when presented in e.g. a MIME context, such that
> the processor could not differentiate between the protected and
> unprotected content.
> 
> >> The only attack is a DoS if the end is
> >> truncated, and the earlier (valid) chunks have already been released.
> >> 
> >> In other words, AEAD is used for each chunked block as a single, coherent
> >> piece.  Also I don't see how an attacker (third party) could leverage this
> >> at all.  They couldn't change the chunk size enroute.
> >
> > I hacked Sequoia to emit unauthenticated data, and I was able to
> > change the chunk size and still get the plaintext of at least the
> > first chunk of a message.  So, my concern is: if a receiving
> > implementation releases unauthenticated plaintext for large chunks
> > rather than fail with ENOMEM, then a third-party attacker can change
> > the chunk size of an intercepted message, and cause the receiver to
> > process unauthenticated data, even though a small chunk size was
> > originally used.
> 
> Sure, but the first chunk of the message was authenticated when it was
> emitted.  The SECOND chunk failed, and I bet it stopped processing!
> 
> This is what SHOULD happen.
> 
> >> Each chunk is either
> >> authenticated, or an error occurs.  On error, it wouldn't be released.
> >
> > The question for me is: what does an implementation do if it can't
> > buffer the message?  Does it really throw an error?  There already
> > exists at least one implementation written by an editor listed on
> > 4880bis that processes unauthenticated plaintext.
> 
> I think we have different definitions of unauthenticated plaintext here.
> 
> In a chunked message, plaintext is authenticated PER CHUNK.  So once
> Chunk 1 is processed, it is considered authenticated, and the
> implementation is free to emit it, even if Chunk 2 fails.
> 
> If Chunk 2 fails its AEAD check (but Chunk 1 processed successfully), do
> you consider the plaintext of Chunk 1 unauthenticated?  If so, why?
> 
> -derek
> 
> -- 
>        Derek Atkins                 617-623-3745
>        derek@ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>

v2.23.0 | Report a Bug | By Email