Re: [openpgp] AEAD Chunk Size
"Neal H. Walfield" <neal@walfield.org> Tue, 19 March 2019 18:10 UTC
Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4BB31313BE for <openpgp@ietfa.amsl.com>; Tue, 19 Mar 2019 11:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwO_Bv9MQ-l7 for <openpgp@ietfa.amsl.com>; Tue, 19 Mar 2019 11:10:24 -0700 (PDT)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3065D131160 for <openpgp@ietf.org>; Tue, 19 Mar 2019 11:10:24 -0700 (PDT)
Received: from tmo-106-123.customers.d1-online.com ([80.187.106.123] helo=chu.huenfield.org.walfield.org) by mail.dasr.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <neal@walfield.org>) id 1h6JBs-0004oD-2u; Tue, 19 Mar 2019 18:10:21 +0000
Date: Tue, 19 Mar 2019 19:10:18 +0100
Message-ID: <87lg1a3fcl.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: Derek Atkins <derek@ihtfp.com>
Cc: openpgp@ietf.org, Vincent Breitmoser <look@my.amazin.horse>
In-Reply-To: <sjmpnqmrg1b.fsf@securerf.ihtfp.org>
References: <87d0n174w6.fsf@wheatstone.g10code.de> <87mumh33nc.wl-neal@walfield.org> <3GFS71V7BTJNZ.29C5TO8OY0O44@my.amazin.horse> <sjmy35isypu.fsf@securerf.ihtfp.org> <87r2bax5u2.wl-neal@walfield.org> <sjmlg1hskdq.fsf@securerf.ihtfp.org> <87pnqtwot9.wl-neal@walfield.org> <87y35hy2i0.fsf@wheatstone.g10code.de> <87k1h0we7w.wl-neal@walfield.org> <87va0g65ht.fsf@wheatstone.g10code.de> <87va0gioae.wl-neal@walfield.org> <431ea8fdaca6b3d20e19cfe2a14f6c96.squirrel@mail2.ihtfp.org> <87mulsi7ms.wl-neal@walfield.org> <sjmpnqmrg1b.fsf@securerf.ihtfp.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (Gojō) APEL/10.8 EasyPG/1.0.0 Emacs/24.5 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/jGayDETaRmIw8VJME8u1yz4Enz4>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 18:10:27 -0000
Hi Derek, Thanks for your analysis. I think the AEAD chunking algorithm is sound, if it is used correctly. My issue is that I don't think it is possible to use the chunking algorithm correctly for large chunk sizes. For instance, what should an implementation do if it encounters a chunk size of 16 TB (and there really can be >16 TB of data using a small decompression bomb)? Should it be allowed to emit unauthenticated plaintext? Let's assume that we allow implementations to emit unauthenticated plaintext for large chunk sizes. An attacker who intercepts a message can change the chunk size to be above this limit. Now, clearly this will fail the authentication check, but we just allowed implementations to release the plaintext for large chunk sizes. So, if my analysis and experiments are correct, then using AEAD will never provide ciphertext integrity for the first chunk against an active attacker. Let's assume that we don't allow implementations to ever emit unauthenticated plaintext. Well, if they encounter a large chunk that they can't buffer, they MUST fail. Ouch! User's will work around that and implementations will help. (As I've pointed out, one already has. I don't know if it was an oversight.) So, my conclusion is, we must prohibit implementations from emitting unauthenticated plaintext *and* remove any incentives to do so. For me, this means a small, fixed chunk size. Does this clarify my concerns? Thanks! :) Neal At Tue, 19 Mar 2019 12:21:36 -0400, Derek Atkins wrote: > > Neal, > > "Neal H. Walfield" <neal@walfield.org> writes: > > > Well, whatever :). As I understand Werner, he agrees that ciphertext > > integrity while streaming is desirable, and, I guess, thinks that is > > achievable with the current draft. I don't think it is possible, and > > I've raised a few concerns in my prior mails. I hope Werner can > > address those concerns. > > I admit that I have not studied the current draft closely, so my > comments might be out of whack, but my expectation is that the AEAD and > Chunking are done hand-in-hand. The chunk metadata (number/size/etc) > should be protected by the AEAD. > > So let's say you have a message that gets processed as: > > [Chunk 1] [Chunk 2] [Chunk 3/final] > > In the normal case, the receiver will process Chunk 1, then Chunk 2, and > then Chunk 3, and depending on the implementation MAY emit the Chunk 1 > plaintext (which HAS BEEN AUTHENTICATED) before it processes Chunk 2 > and/or Chunk 3. > > What can an attacker do? > > * If they modify the chunk size, the AEAD on that chunk will fail and > therefore the data should not be emitted. Note that this COULD cause > the receiver to emit Chunk 1 and then "stop". > > * If they cause Chunk 3 to disappear, they could get the receiver to emit > Chunks 1 and 2 and then stop with. But again, Chunk1 and Chunk2 are > still authenticated. > > * If they cause Chunk 2 to disappear, the numbering will be out of order > and the receiver can emit an error. > > * They can insert fake chunks. Let's say they cause the following: > [Chunk 1] [Chunk 2'] [Chunk 2] [Chunk 3'] [Chink 3/final] > > In this case, the attacker is inserting Chunk 2' and Chunk 3', > claiming to be chunks 2 and 3 respectively. So the question is, what > happens here? Well, the chunking here is expecting encryption (at > least I think it should be expecting encryption). So they would > authenticate Chunk 1 (and possibly emit it), but when processing Chunk > 2' they would fail on the AEAD because the attacker doesn't know the > key. > > The chunking should not allow any other type of data here. > > Am I missing another attack? > > [snip] > >> Which implementation? The sender or the receiver? > > > > I'm assuming that the sender is using the best we have to offer, i.e., > > chunked AEAD. > > > > I'm assuming that the receiver emits unauthenticated plaintext in some > > situations. > > In what situations would the receiver emit unauthenticated plaintext? > > >> Also, who is the > >> attacker? The Sender? Or a third party? > > > > I'm thinking of something like EFAIL. So, a third-party attacker who > > modifies the ciphertext. > > EFAIL was more that that -- it was also leveraging the fact that USERS > of OpenPGP would merge the contents of authenticated and > non-authenticated data when presented in e.g. a MIME context, such that > the processor could not differentiate between the protected and > unprotected content. > > >> The only attack is a DoS if the end is > >> truncated, and the earlier (valid) chunks have already been released. > >> > >> In other words, AEAD is used for each chunked block as a single, coherent > >> piece. Also I don't see how an attacker (third party) could leverage this > >> at all. They couldn't change the chunk size enroute. > > > > I hacked Sequoia to emit unauthenticated data, and I was able to > > change the chunk size and still get the plaintext of at least the > > first chunk of a message. So, my concern is: if a receiving > > implementation releases unauthenticated plaintext for large chunks > > rather than fail with ENOMEM, then a third-party attacker can change > > the chunk size of an intercepted message, and cause the receiver to > > process unauthenticated data, even though a small chunk size was > > originally used. > > Sure, but the first chunk of the message was authenticated when it was > emitted. The SECOND chunk failed, and I bet it stopped processing! > > This is what SHOULD happen. > > >> Each chunk is either > >> authenticated, or an error occurs. On error, it wouldn't be released. > > > > The question for me is: what does an implementation do if it can't > > buffer the message? Does it really throw an error? There already > > exists at least one implementation written by an editor listed on > > 4880bis that processes unauthenticated plaintext. > > I think we have different definitions of unauthenticated plaintext here. > > In a chunked message, plaintext is authenticated PER CHUNK. So once > Chunk 1 is processed, it is considered authenticated, and the > implementation is free to emit it, even if Chunk 2 fails. > > If Chunk 2 fails its AEAD check (but Chunk 1 processed successfully), do > you consider the plaintext of Chunk 1 unauthenticated? If so, why? > > -derek > > -- > Derek Atkins 617-623-3745 > derek@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp >
- Re: [openpgp] AEAD Chunk Size Justus Winter
- [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Ronald Tse
- Re: [openpgp] AEAD Chunk Size Ronald Tse
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Hanno Böck
- Re: [openpgp] AEAD Chunk Size - Performance Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size - Performance Bart Butler
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size brian m. carlson
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size - Performance Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Sebastian Schinzel
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Werner Koch
- Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
- Re: [openpgp] AEAD Chunk Size Sebastian Schinzel
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Werner Koch
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Werner Koch
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
- Re: [openpgp] AEAD Chunk Size Peter Pentchev
- Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Bill Frantz
- [openpgp] WTF (Re: AEAD Chunk Size) Andre Heinecke
- Re: [openpgp] AEAD Chunk Size Werner Koch
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Werner Koch
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Marcus Brinkmann
- Re: [openpgp] AEAD Chunk Size Nickolay Olshevsky
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Tobias Mueller
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Bill Frantz
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Marcus Brinkmann
- Re: [openpgp] AEAD Chunk Size Bill Frantz
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Peter Gutmann
- Re: [openpgp] AEAD Chunk Size Peter Gutmann
- Re: [openpgp] AEAD Chunk Size Peter Gutmann
- Re: [openpgp] AEAD Chunk Size Peter Gutmann
- Re: [openpgp] AEAD Chunk Size Bill Frantz
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Marcus Brinkmann
- Re: [openpgp] AEAD Chunk Size Marcus Brinkmann
- Re: [openpgp] AEAD Chunk Size Peter Gutmann
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Peter Gutmann
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Wyllys Ingersoll
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size brian m. carlson
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Benjamin Kaduk
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Benjamin Kaduk
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Peter Gutmann
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Benjamin Kaduk
- Re: [openpgp] AEAD Chunk Size Conrado P. L. Gouvêa
- Re: [openpgp] AEAD Chunk Size Conrado P. L. Gouvêa
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Neal H. Walfield
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Jon Callas
- Re: [openpgp] AEAD Chunk Size Heiko Stamer
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Bart Butler
- Re: [openpgp] AEAD Chunk Size Derek Atkins
- Re: [openpgp] AEAD Chunk Size Werner Koch
- Re: [openpgp] AEAD Chunk Size Benjamin Kaduk
- Re: [openpgp] [EXT] Re: AEAD Chunk Size Neil Hunsperger