Re: [openpgp] AEAD mode unverified chunks
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 01 July 2018 13:55 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B565130EAA for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 06:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIy1S9c1snOP for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 06:55:33 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CD9512785F for <openpgp@ietf.org>; Sun, 1 Jul 2018 06:55:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1530453333; x=1561989333; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=kkhWUmH0Q4KhVsrb37WBDbz4izg+lHl/Ob0NyQEdefI=; b=5PkDn1+EzTXNJCyOSg3YDW/MV2JL6bzqeuqpkPozhmZlfNuFQn4TkRjg ivMkbn2icb2q2iW1p90qEq9Uc9i6xU/hDYV0H4Tt1FX3+vKGyQf2mux7N onQpKIQMV8PcKNzwA7BWcsvwwhyHDWmtiSrbiPHoJAoZuxUsHgGYpyY9p ZkAIoh5sADsBMzM+ZT9P9Hf/W1wMmQApGmt50BjGGBRadWfhNTeSbb2Li HiZE+KnEP3j0vAvlxhJt8VDkdhCayTI/ExYKzzseclG1qUqfpQKITpQrr 9NkuWr+8ZzP7uOsPSEqoO5rjyVYnD0MjK1HoFix+t/mhqQAmvTOsGNNcx g==;
X-IronPort-AV: E=Sophos;i="5.51,295,1526299200"; d="scan'208";a="18963706"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing
Received: from uxcn13-ogg-d.uoa.auckland.ac.nz ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 02 Jul 2018 01:55:30 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 2 Jul 2018 01:55:30 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8%14]) with mapi id 15.00.1263.000; Mon, 2 Jul 2018 01:55:30 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org>, "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [openpgp] AEAD mode unverified chunks
Thread-Index: AQHUEIzhW94Nj+WvxkKsWz4Icn2RHaR571i4//+oI4CAAM2DEg==
Date: Sun, 01 Jul 2018 13:55:30 +0000
Message-ID: <1530453318943.37822@cs.auckland.ac.nz>
References: <df7db7b9-b661-7534-1c34-fd63ae2876d9@ruhr-uni-bochum.de> <1530428015814.83795@cs.auckland.ac.nz>, <7080a271-6244-13d3-04da-d00a32766de1@ruhr-uni-bochum.de>
In-Reply-To: <7080a271-6244-13d3-04da-d00a32766de1@ruhr-uni-bochum.de>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/kxKrhAMX8AH6ESrkfpskddTu_Ds>
Subject: Re: [openpgp] AEAD mode unverified chunks
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2018 13:55:36 -0000
Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org> writes: > If a chunk can not be authenticated, implementations MUST discard the > plaintext of that chunk without further processing But that then requires the artificial chunk-size restriction you mentioned in an earlier message, which also means you'll start expanding messages if you have to break them up into smallish chunks with IVs and MACs and whatnot in each chunk... Hmmm, and a comment on the text: "A new random initialization vector MUST be used for each message". That should be "for each chunk", along with a strong warning about the fact that you'll get a catastrophic failure of security if you don't do this and use a highly brittle AEAD mode like GCM. That is, this isn't just some nice thing to do like the usual comment about using fresh IVs, you'll get a catastrophic security failure if you don't, far more so than with any other encryption mode that uses IVs. Peter.
- [openpgp] AEAD mode unverified chunks Marcus Brinkmann
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann
- Re: [openpgp] AEAD mode unverified chunks Benjamin Kaduk
- Re: [openpgp] AEAD mode unverified chunks Marcus Brinkmann
- Re: [openpgp] AEAD mode unverified chunks Marcus Brinkmann
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann
- Re: [openpgp] AEAD mode unverified chunks Werner Koch
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann