IETF Logo Mail Archive

Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 30 October 2015 14:11 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3FE61A1A3D for <openpgp@ietfa.amsl.com>; Fri, 30 Oct 2015 07:11:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtcdQaEHAhry for <openpgp@ietfa.amsl.com>; Fri, 30 Oct 2015 07:11:32 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 57BCB1A1A1C for <openpgp@ietf.org>; Fri, 30 Oct 2015 07:11:32 -0700 (PDT)
Received: from fifthhorseman.net (y125068.ppp.asahi-net.or.jp [118.243.125.68]) by che.mayfirst.org (Postfix) with ESMTPSA id 9710BF984; Fri, 30 Oct 2015 10:11:24 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 377CA1FFD3; Fri, 30 Oct 2015 23:11:23 +0900 (JST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Watson Ladd <watsonbladd@gmail.com>, Natanael <natanael.l@gmail.com>
In-Reply-To: <CACsn0cm=t3XCTu8O7bxpB79n-ksodZOEGsChspvD25V_4xjhQw@mail.gmail.com>
References: <87twp91d8r.fsf@alice.fifthhorseman.net> <CAAt2M19s-grQ9No9kAhBDCKKTw6oj9wHdiU5XuGjLO5Y8B87dA@mail.gmail.com> <CACsn0cm=t3XCTu8O7bxpB79n-ksodZOEGsChspvD25V_4xjhQw@mail.gmail.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Fri, 30 Oct 2015 23:11:23 +0900
Message-ID: <878u6ktpis.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/jHX2F0y8u3CxYBAJprVXfPjzJaw>
Cc: IETF OpenPGP <openpgp@ietf.org>, cfrg@irtf.org
Subject: Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2015 14:11:35 -0000

On Fri 2015-10-30 21:30:44 +0900, Watson Ladd wrote:
>> >  b) it doesn't seem to compose as well with asymmetric signatures as one
>> >     might like: a signature over the whole material can't itself be
>> >     verified until one full pass through the data; and a signature over
>> >     just the symmetric key would prove nothing, since anyone getting the
>> >     symmetric key could forge an arbitrary valid, decryptable stream.
>> >     Is there an intermediate approach that would combine an asymmetric
>> >     signature with a chunkable authenticated encryption such that a
>> >     decryptor could stream one pass and be certain of its origin (at
>> >     least up until truncation, if (a) can't be resolved)?
>> >
>> > Thoughts, pointers, or suggestions would be much appreciated.
>
> Use authenticated encryption so no signatures are required. Detached
> signature verification is used for large public messages already: no
> streaming needed.

OK, i am worried that i might have sidetracked the dicsussion with this
side-note here.  We don't have a solution for (b) above today, and as
Watson notes, there are use patterns that suggest people might be OK
with doing two-pass signature verification before processing large
files.

So i'd like to ask folks to put this side-note aside, please, and try to
re-focus on the main original question:

> AGL describes this problem here:
> 
>  https://www.imperialviolet.org/2014/06/27/streamingencryption.html
> 
> and he roughly outlines a generic construction of a composable/chunkable
> approach using AEAD:
> 
>> Ideally such a scheme would take an AEAD and produce something very
>> like an AEAD in that it takes a key, nonce and additional data, but
>> can safely work in a streaming fashion. I don't think it need be very
>> complex: take 64 bits of the nonce from the underlying AEAD as the
>> chunk number, always start with chunk number zero and feed the
>> additional data into chunk zero with a zero byte prefix. Prefix each
>> chunk ciphertext with a 16 bit length and set the MSB to indicate the
>> last chunk and authenticate that indication by setting the additional
>> data to a single, 1 byte. The major worry might be that for many
>> underlying AEADs, taking 64 bits of the nonce for the chunk counter
>> leaves one with very little (or none!) left.
> 
> Two examples of projects that take something like this approach are
> miniLock and Tahoe-LAFS:
> 
>  https://github.com/kaepora/miniLock
>  https://tahoe-lafs.org/trac/tahoe-lafs/browser/docs/specifications/file-encoding.rst
> 
> I'm unaware of any formalization of this approach, though.  Does anyone
> know of one?  If OpenPGP were to adopt AGL's construct, are there
> specific risks to be aware of?

  --dkg

v2.23.0 | Report a Bug | By Email