Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 30 October 2015 14:11 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3FE61A1A3D for <openpgp@ietfa.amsl.com>; Fri, 30 Oct 2015 07:11:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtcdQaEHAhry for <openpgp@ietfa.amsl.com>; Fri, 30 Oct 2015 07:11:32 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 57BCB1A1A1C for <openpgp@ietf.org>; Fri, 30 Oct 2015 07:11:32 -0700 (PDT)
Received: from fifthhorseman.net (y125068.ppp.asahi-net.or.jp [118.243.125.68]) by che.mayfirst.org (Postfix) with ESMTPSA id 9710BF984; Fri, 30 Oct 2015 10:11:24 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 377CA1FFD3; Fri, 30 Oct 2015 23:11:23 +0900 (JST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Watson Ladd <watsonbladd@gmail.com>, Natanael <natanael.l@gmail.com>
In-Reply-To: <CACsn0cm=t3XCTu8O7bxpB79n-ksodZOEGsChspvD25V_4xjhQw@mail.gmail.com>
References: <87twp91d8r.fsf@alice.fifthhorseman.net> <CAAt2M19s-grQ9No9kAhBDCKKTw6oj9wHdiU5XuGjLO5Y8B87dA@mail.gmail.com> <CACsn0cm=t3XCTu8O7bxpB79n-ksodZOEGsChspvD25V_4xjhQw@mail.gmail.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Fri, 30 Oct 2015 23:11:23 +0900
Message-ID: <878u6ktpis.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/jHX2F0y8u3CxYBAJprVXfPjzJaw>
Cc: IETF OpenPGP <openpgp@ietf.org>, cfrg@irtf.org
Subject: Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2015 14:11:35 -0000
On Fri 2015-10-30 21:30:44 +0900, Watson Ladd wrote: >> > b) it doesn't seem to compose as well with asymmetric signatures as one >> > might like: a signature over the whole material can't itself be >> > verified until one full pass through the data; and a signature over >> > just the symmetric key would prove nothing, since anyone getting the >> > symmetric key could forge an arbitrary valid, decryptable stream. >> > Is there an intermediate approach that would combine an asymmetric >> > signature with a chunkable authenticated encryption such that a >> > decryptor could stream one pass and be certain of its origin (at >> > least up until truncation, if (a) can't be resolved)? >> > >> > Thoughts, pointers, or suggestions would be much appreciated. > > Use authenticated encryption so no signatures are required. Detached > signature verification is used for large public messages already: no > streaming needed. OK, i am worried that i might have sidetracked the dicsussion with this side-note here. We don't have a solution for (b) above today, and as Watson notes, there are use patterns that suggest people might be OK with doing two-pass signature verification before processing large files. So i'd like to ask folks to put this side-note aside, please, and try to re-focus on the main original question: > AGL describes this problem here: > > https://www.imperialviolet.org/2014/06/27/streamingencryption.html > > and he roughly outlines a generic construction of a composable/chunkable > approach using AEAD: > >> Ideally such a scheme would take an AEAD and produce something very >> like an AEAD in that it takes a key, nonce and additional data, but >> can safely work in a streaming fashion. I don't think it need be very >> complex: take 64 bits of the nonce from the underlying AEAD as the >> chunk number, always start with chunk number zero and feed the >> additional data into chunk zero with a zero byte prefix. Prefix each >> chunk ciphertext with a 16 bit length and set the MSB to indicate the >> last chunk and authenticate that indication by setting the additional >> data to a single, 1 byte. The major worry might be that for many >> underlying AEADs, taking 64 bits of the nonce for the chunk counter >> leaves one with very little (or none!) left. > > Two examples of projects that take something like this approach are > miniLock and Tahoe-LAFS: > > https://github.com/kaepora/miniLock > https://tahoe-lafs.org/trac/tahoe-lafs/browser/docs/specifications/file-encoding.rst > > I'm unaware of any formalization of this approach, though. Does anyone > know of one? If OpenPGP were to adopt AGL's construct, are there > specific risks to be aware of? --dkg
- [openpgp] streamable AEAD construct for stored da… Daniel Kahn Gillmor
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Watson Ladd
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Daniel Kahn Gillmor
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Watson Ladd
- Re: [openpgp] streamable AEAD construct for store… vedaal
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Zooko Wilcox-OHearn
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Natanael
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Natanael
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Taylor R Campbell
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Andy Lutomirski
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Adam Langley
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Andy Lutomirski
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Björn Edström
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Andrey Jivsov
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Peter Todd
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Andy Lutomirski
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Peter Todd
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Andy Lutomirski
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Peter Todd
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Bryan Ford
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Andy Lutomirski
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Bryan Ford
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… ianG
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Nils Durner
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Bryan Ford
- Re: [openpgp] [Cfrg] streamable AEAD construct fo… Bryan Ford