IETF Logo Mail Archive

Re: [openpgp] AEAD mode unverified chunks

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 01 July 2018 13:55 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B565130EAA for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 06:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIy1S9c1snOP for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 06:55:33 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CD9512785F for <openpgp@ietf.org>; Sun, 1 Jul 2018 06:55:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1530453333; x=1561989333; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=kkhWUmH0Q4KhVsrb37WBDbz4izg+lHl/Ob0NyQEdefI=; b=5PkDn1+EzTXNJCyOSg3YDW/MV2JL6bzqeuqpkPozhmZlfNuFQn4TkRjg ivMkbn2icb2q2iW1p90qEq9Uc9i6xU/hDYV0H4Tt1FX3+vKGyQf2mux7N onQpKIQMV8PcKNzwA7BWcsvwwhyHDWmtiSrbiPHoJAoZuxUsHgGYpyY9p ZkAIoh5sADsBMzM+ZT9P9Hf/W1wMmQApGmt50BjGGBRadWfhNTeSbb2Li HiZE+KnEP3j0vAvlxhJt8VDkdhCayTI/ExYKzzseclG1qUqfpQKITpQrr 9NkuWr+8ZzP7uOsPSEqoO5rjyVYnD0MjK1HoFix+t/mhqQAmvTOsGNNcx g==;
X-IronPort-AV: E=Sophos;i="5.51,295,1526299200"; d="scan'208";a="18963706"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing
Received: from uxcn13-ogg-d.uoa.auckland.ac.nz ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 02 Jul 2018 01:55:30 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 2 Jul 2018 01:55:30 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8%14]) with mapi id 15.00.1263.000; Mon, 2 Jul 2018 01:55:30 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org>, "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [openpgp] AEAD mode unverified chunks
Thread-Index: AQHUEIzhW94Nj+WvxkKsWz4Icn2RHaR571i4//+oI4CAAM2DEg==
Date: Sun, 01 Jul 2018 13:55:30 +0000
Message-ID: <1530453318943.37822@cs.auckland.ac.nz>
References: <df7db7b9-b661-7534-1c34-fd63ae2876d9@ruhr-uni-bochum.de> <1530428015814.83795@cs.auckland.ac.nz>, <7080a271-6244-13d3-04da-d00a32766de1@ruhr-uni-bochum.de>
In-Reply-To: <7080a271-6244-13d3-04da-d00a32766de1@ruhr-uni-bochum.de>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/kxKrhAMX8AH6ESrkfpskddTu_Ds>
Subject: Re: [openpgp] AEAD mode unverified chunks
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2018 13:55:36 -0000

Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org> writes:

>  If a chunk can not be authenticated, implementations MUST discard the
>  plaintext of that chunk without further processing

But that then requires the artificial chunk-size restriction you mentioned in
an earlier message, which also means you'll start expanding messages if you
have to break them up into smallish chunks with IVs and MACs and whatnot in
each chunk...

Hmmm, and a comment on the text:

"A new random initialization vector MUST be used for each message".

That should be "for each chunk", along with a strong warning about the fact
that you'll get a catastrophic failure of security if you don't do this and
use a highly brittle AEAD mode like GCM.  That is, this isn't just some nice
thing to do like the usual comment about using fresh IVs, you'll get a
catastrophic security failure if you don't, far more so than with any other
encryption mode that uses IVs.

Peter.

v2.23.0 | Report a Bug | By Email