Re: [openpgp] [EXT] Re: AEAD Chunk Size

Neil Hunsperger <Neil_Hunsperger@symantec.com> Fri, 03 May 2019 21:29 UTC

Return-Path: <Neil_Hunsperger@symantec.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5849120165 for <openpgp@ietfa.amsl.com>; Fri, 3 May 2019 14:29:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symantec.com header.b=BP8rF4iQ; dkim=pass (1024-bit key) header.d=symantec.com header.b=uQQn7BVh
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1OcFKuHwB2ay for <openpgp@ietfa.amsl.com>; Fri, 3 May 2019 14:29:44 -0700 (PDT)
Received: from asbsmtoutape01.symantec.com (asbsmtoutape01.symantec.com [155.64.138.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0857B12015E for <openpgp@ietf.org>; Fri, 3 May 2019 14:29:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=Symantec.com; s=2; c=relaxed/simple; q=dns/txt; i=@Symantec.com; t=1556918982; x=2420832582; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=4SirwfC4j43/ILIB6B/LGnHLqsbpJD9tRdn6odimjzY=; b=BP8rF4iQL3BnveeKGsiJwrz9TVlqAZ1zIkd0LJsOIf5gIJKn1uRsnw4Oqg1k9q1p Wc7FNcY/X4r116W8c+wVwHIAtyQ/gFoAYLJX/VaTuDLPESZu0RrVD9IlcxZnfd2V GnuqlNIF9DnTuHHQgV0Z/xsQx4/VVtUSS7pxupFvZf0=;
Received: from asbsmtmtaapi01.symc.symantec.com (asb1-f5-symc-ext-prd-snat10.net.symantec.com [10.90.75.10]) by asbsmtoutape01.symantec.com (Symantec Messaging Gateway) with SMTP id 9D.72.02630.6C2BCCC5; Fri, 3 May 2019 21:29:42 +0000 (GMT)
X-AuditID: 0a5af819-f0d569e000010a46-53-5cccb2c67fea
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (asb1-f5-symc-ext-prd-snat2.net.symantec.com [10.90.75.2]) by asbsmtmtaapi01.symc.symantec.com (Symantec Messaging Gateway) with SMTP id FE.98.52441.5C2BCCC5; Fri, 3 May 2019 21:29:42 +0000 (GMT)
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 3 May 2019 14:29:41 -0700
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (10.44.128.10) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Fri, 3 May 2019 14:29:41 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symantec.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uUIx6bGUbbSq0trIQtH2FgCugisy7RT/srwyYZDcLaM=; b=uQQn7BVhBkJ3t0ZzBqcEUe3gaooe4WueU7v49QKNwQM9HRE8eO1rCPzNL+R26UTZGl5sWwjBj0gMlvRhck8uxKaNFvAXfzqqlmfBJ9WDQJCEZIWQvA3XGi6xxYofHfEw5Y58+4kQpHDzWGTfMIELIa7f4B1AE23D59VwrIpfUkc=
Received: from BY5PR16MB3302.namprd16.prod.outlook.com (10.255.163.81) by BY5PR16MB3143.namprd16.prod.outlook.com (10.255.160.221) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1856.11; Fri, 3 May 2019 21:29:40 +0000
Received: from BY5PR16MB3302.namprd16.prod.outlook.com ([fe80::58d9:baf6:b6b8:1fd2]) by BY5PR16MB3302.namprd16.prod.outlook.com ([fe80::58d9:baf6:b6b8:1fd2%3]) with mapi id 15.20.1856.012; Fri, 3 May 2019 21:29:40 +0000
From: Neil Hunsperger <Neil_Hunsperger@symantec.com>
To: "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [EXT] Re: [openpgp] AEAD Chunk Size
Thread-Index: AQHU5WIewi6VyTVun0K++o+ommhfzqYhj1CAgAAKeQCAAFc1gIAAZl+AgAA6vgCAAAdygIAAe5wAgABdpICAAV29gIAAVE6AgBjfVACAAZOuAIACtaqAgAdBgQeAEJPn4A==
Date: Fri, 3 May 2019 21:29:39 +0000
Message-ID: <BY5PR16MB33027DD1629691D48EECE1A9E9350@BY5PR16MB3302.namprd16.prod.outlook.com>
References: <87mumh33nc.wl-neal@walfield.org> <878swzp4fb.fsf@europa.jade-hamburg.de> <E65F6E9D-8B0B-466D-936B-E8852F26E1FF@icloud.com> <87d0m9hl62.wl-neal@walfield.org> <FEE9711C-3C64-493C-8125-89696B882E0A@icloud.com> <2di2bK8m-7HtDeoUEH9oPqs-bL-IKSE0CjkgFShPMLOlUyeDBVkVGApdjnIpS6YRAeKU3ibGCZCtwLden-N6zK5W4fqIghRGDa5dU720nEs=@protonmail.com> <73739F8A-5E9F-4277-B053-FDD2E8D81B17@icloud.com> <cc75QwJwTIffqLK7fzZ3A2Pw1Vb3_lkhSHfYRPyASZcxceG2c0Cpbld529WsXosP7X9x4agikpGD4dVTXK8iaRkblS9Jokv1tD2TceQBbyE=@protonmail.com> <18FF6D9C-B285-406E-A344-E6362646DE68@icloud.com> <YMBMgZGGCSQb4Bnp9xRFkBfOn-I97FrycqHK4NvuHUkgtmL6_UaumtHJwJc-4nbmACSHrA4CWqEeLMDUuoVFMq0Vc6M0fwO8G40Mq1heEgI=@protonmail.com> <uIkPmRBGfmyVi5QPuVeXkm02_Y_zfPUWPWCsZtDHyjFaFbNOY8mJyUK42pm80AJ-_-jf-ut1xPK_SMkjGDgrL4cT4BcAbeaBQvSYhqFoD7U=@protonmail.com> <875zr5ywd7.fsf@wheatstone.g10code.de>
In-Reply-To: <875zr5ywd7.fsf@wheatstone.g10code.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Neil_Hunsperger@symantec.com;
x-originating-ip: [155.64.23.33]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e4c7bb13-cca0-4941-3d18-08d6d00e733a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BY5PR16MB3143;
x-ms-traffictypediagnostic: BY5PR16MB3143:
x-microsoft-antispam-prvs: <BY5PR16MB3143CE0AA7684D0D6FA0A24FE9350@BY5PR16MB3143.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0026334A56
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(136003)(346002)(376002)(396003)(199004)(189003)(5640700003)(5660300002)(71190400001)(71200400001)(86362001)(2501003)(14454004)(14444005)(73956011)(6506007)(76116006)(256004)(6436002)(11346002)(486006)(446003)(476003)(2906002)(2351001)(52536014)(26005)(102836004)(229853002)(305945005)(6916009)(186003)(68736007)(478600001)(55016002)(10290500003)(316002)(6116002)(74316002)(53936002)(72206003)(9686003)(3846002)(76176011)(8936002)(7736002)(25786009)(1730700003)(66556008)(66446008)(64756008)(66946007)(66476007)(8676002)(81166006)(99286004)(81156014)(66066001)(80792005)(6246003)(7696005)(33656002)(9010500006); DIR:OUT; SFP:1101; SCL:1; SRVR:BY5PR16MB3143; H:BY5PR16MB3302.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: q1CTusOVrwgJrsTBUbUSPKMgzV2lqkR8NLeWyjb1XfH1grCN5WHKPs35EA64nW2ZgH+OtnBFZ1Xytv8gqfMVIRH4/4YehfWIt++/uH03T9JUG7BsfMdQtXFerr/7eviajsNeJ2YDULqPeSIB9CHjT7wt4WqXLtCixmvZUJ8AcxS/I3+jbtXqpiGvN6F2Pd3okfycwpRqSEF4KvAC5SN8QSCxA77F+xsCihSfln5qLyrYJXgk0YBVqASB53tmNW/tzMbE9iIIUslzJNaFq/H5FjwzuwI8v63V29zn+WoSFCRS0GVZ6GpBLj7C8jrfexEUWdd1BksqJhiAC4PAlp7I9dqrtdahFO4oWfuNsaV0M/e3696ONMkNd/g/Wyh5bQvbi+z9OnKzkK2tHxXHE0Qoj8Lzd80o6z1dm97+eaZlS+M=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e4c7bb13-cca0-4941-3d18-08d6d00e733a
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2019 21:29:39.8978 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR16MB3143
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgleLIzCtJLcpLzFFi42LhivLm0j226UyMwZ5JXBYN/x6yOzB6LFny kymAMYrLJiU1J7MstUjfLoEro+0Vd8F/gYoDLxayNTBe4O1i5OSQEDCR+N32mbGLkYtDSOAz o8SPFYuZYRLLrz9nhUh8Z5Roa5jBBOEcYZS429bEDOG8YJQ4//sYC4jDIjCBWaLn7g82iMxk JonbZ+5BTX7IKPHkyGQWkMlsQJPXTm9jArFFBDQl+nYsZwOxhQUMJJ7c28sMETeU6Jj0EKpm EqPE3/s1IDaLgIpE254/YHN4BWIkmj6vhTrqC5vE10d32UESnALGEgdXXAJrZhQQk/h+ag2Y zSwgLnHryXwmiPcEJJbsOQ/1qqjEy8f/WCHq4yXaXk+FiitIHJ7dwg5hy0pcmt/NCGH7Stzp ng8OAAmBC4wSc6/OYINIaEksvX4MaBAHkJ0t8fS/F0RYTeLz0ytQM2Ukzjd8ZoLo3cgm8ef/ c6YJjAazkNwHYetILNj9iQ3C1pZYtvA18yywpwUlTs58wrKAkWUVo0JicVJxbkl+aUliQaqB oV5xZW4yiEgEpo5kveT83E2M4PTxQ3IH45ETPocYBTgYlXh41dafiRFiTSwDqjzEKMHBrCTC G/fxVIwQb0piZVVqUX58UWlOavEhRmkOFiVxXquJQCmB9MSS1OzU1ILUIpgsEwenVAMj6wfV Ryf+snqVS6rZLNDjeBmWvKh0zZtFt4XZu72+/viX9/vuy8+73nywCfM8qmV3fkIo5xzron1K zh9f77I8p3g8Upd15qdrlgln9GLypvK93Scdf8N1/bubp6brievK2eVrfZg7oe7W7DTeyk8Z 80zWpMwt8nl94dj7hTFsj4tkpqzo6qkTV2Ipzkg01GIuKk4EAORxxTQbAwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsXCFeXNpHts05kYg8u/WC0a/j1kd2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXRtsr7oL/AhUHXixka2C8wNvFyMkhIWAisfz6c9YuRi4OIYHv jBJtDTOYIJwjjBJ325qYIZwXjBLnfx9jAXFYBCYwS/Tc/cEGkZnMJHH7zD1GCOcho8STI5NZ QCazAU1eO72NCcQWEdCU6NuxnA3EFhYwkHhyby8zRNxQomPSQ6iaSYwSf+/XgNgsAioSbXv+ gM3hFYiRaPq8FuqoL2wSXx/dZQdJcAoYSxxccQmsmVFATOL7qTVgNrOAuMStJ/OZIN4TkFiy 5zwzhC0q8fLxP1aI+niJttdToeIKEodnt7BD2LISl+Z3M0LYvhJ3uueDA0BC4AKjxNyrM9gg EloSS68fAxrEAWRnSzz97wURVpP4/PQK1EwZifMNn5kgejeySfz5/5wJpF5IIFVi+wx1iBo5 iVW9D1kmMOrMQnI2hK0jsWD3JzYIW1ti2cLXzLPAYSEocXLmE5YFjCyrGBUSi5OKc0tySxIT CzINDPWKK3OTQUQiMG0k6yXn525iBKeO32I7GA/88TnEKMDBqMTD+0LrTIwQa2IZUOUhRmkO FiVx3s0xX6KFBNITS1KzU1MLUovii0pzUosPMTJxcEo1MFb0uvn846/yfXLj9Jrt3lW3J3xN aWfcHl/f0zqziGkb/4kNSqYJZwt/zwi/2H5fWDT/t5HV/8+7ub6qTMr4ZKx39+/9GT8LL0vd 3VW4T1vdiP/+K9UzjJwnksI0/1ZJzzOexS/eOW9vyZFnneeOlmZOvHKWT6h45Yp9HGon+25/ veB274/T5mlKLMUZiYZazEXFiQCkwABe/gIAAA==
X-CFilter-Loop: ASB04
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/lMB89sd0fjvwc65s6mYnGEZE3Bo>
Subject: Re: [openpgp] [EXT] Re: AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 21:29:46 -0000

> From: openpgp <openpgp-bounces@ietf.org> On Behalf Of Werner Koch
> Sent: Tuesday, April 23, 2019 1:11 AM
> I am not sure about the context.  Are you talking about the partial length encoding or about the AEAD chunk size, a modification of AEAD to allow detection of transmission errors before the end of the data?

Is the disconnect between Werner and many of those replying just whether it's meaningful to have 3 security levels instead of 2?

Level 1: The receiver verified the signature computed over all the data. The data is from Alice.
Level 2: The receiver verified AEAD chunks but not the signature. The data is a prefix of data sent by someone who had the decryption key to that data.
Level 3: The receiver verified neither AEAD chunks nor the signature. The data could be from anyone. It could be from your friend Alice, but modified by Eve in a way that compromises its confidentiality.

If one's threat model lumps levels #2 and #3 into one "untrusted" bucket, then AEAD is purely a convenience mechanism.

If one's threat model aims to protect downstream code that is robust against RCE attacks but weak against information disclosure attacks, then AEAD chunks provide measurable security.

> For all other purposes I propose to use a different protocol on top of OpenPGP a (e.g MIME) and not to overload OpenPGP with unneeded stuff.

I think we can let people rely on OpenPGP to differentiate above levels #2 and #3 without making the OpenPGP protocol any more complicated. The maximum size for chunks just needs to be "small-ish": the value this thread was trying to define.

-Neil

Aside: An even safer way to use AEAD would be to sign something derived from the decryption key and place that signature before the AEAD Encrypted Data Packet. Thus when a library streams out checked AEAD chunks, those chunks are known to be prefixes of a message that Alice sent. This is the strongest security guarantee possible with a pure streaming interface. I think it would only be useful in an environment where unsigned data is always rejected. And this would complicate the spec!