Re: [openpgp] [EXT] Re: AEAD Chunk Size

Neil Hunsperger <Neil_Hunsperger@symantec.com> Fri, 03 May 2019 21:29 UTC

From: Neil Hunsperger <Neil_Hunsperger@symantec.com>
To: "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [EXT] Re: [openpgp] AEAD Chunk Size
Thread-Index: AQHU5WIewi6VyTVun0K++o+ommhfzqYhj1CAgAAKeQCAAFc1gIAAZl+AgAA6vgCAAAdygIAAe5wAgABdpICAAV29gIAAVE6AgBjfVACAAZOuAIACtaqAgAdBgQeAEJPn4A==
Date: Fri, 3 May 2019 21:29:39 +0000
Message-ID: <BY5PR16MB33027DD1629691D48EECE1A9E9350@BY5PR16MB3302.namprd16.prod.outlook.com>
References: <87mumh33nc.wl-neal@walfield.org> <878swzp4fb.fsf@europa.jade-hamburg.de> <E65F6E9D-8B0B-466D-936B-E8852F26E1FF@icloud.com> <87d0m9hl62.wl-neal@walfield.org> <FEE9711C-3C64-493C-8125-89696B882E0A@icloud.com> <2di2bK8m-7HtDeoUEH9oPqs-bL-IKSE0CjkgFShPMLOlUyeDBVkVGApdjnIpS6YRAeKU3ibGCZCtwLden-N6zK5W4fqIghRGDa5dU720nEs=@protonmail.com> <73739F8A-5E9F-4277-B053-FDD2E8D81B17@icloud.com> <cc75QwJwTIffqLK7fzZ3A2Pw1Vb3_lkhSHfYRPyASZcxceG2c0Cpbld529WsXosP7X9x4agikpGD4dVTXK8iaRkblS9Jokv1tD2TceQBbyE=@protonmail.com> <18FF6D9C-B285-406E-A344-E6362646DE68@icloud.com> <YMBMgZGGCSQb4Bnp9xRFkBfOn-I97FrycqHK4NvuHUkgtmL6_UaumtHJwJc-4nbmACSHrA4CWqEeLMDUuoVFMq0Vc6M0fwO8G40Mq1heEgI=@protonmail.com> <uIkPmRBGfmyVi5QPuVeXkm02_Y_zfPUWPWCsZtDHyjFaFbNOY8mJyUK42pm80AJ-_-jf-ut1xPK_SMkjGDgrL4cT4BcAbeaBQvSYhqFoD7U=@protonmail.com> <875zr5ywd7.fsf@wheatstone.g10code.de>
In-Reply-To: <875zr5ywd7.fsf@wheatstone.g10code.de>
Accept-Language: en-US
Content-Language: en-US
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e4c7bb13-cca0-4941-3d18-08d6d00e733a
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2019 21:29:39.8978 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR16MB3143
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgleLIzCtJLcpLzFFi42LhivLm0j226UyMwZ5JXBYN/x6yOzB6LFny kymAMYrLJiU1J7MstUjfLoEro+0Vd8F/gYoDLxayNTBe4O1i5OSQEDCR+N32mbGLkYtDSOAz o8SPFYuZYRLLrz9nhUh8Z5Roa5jBBOEcYZS429bEDOG8YJQ4//sYC4jDIjCBWaLn7g82iMxk JonbZ+5BTX7IKPHkyGQWkMlsQJPXTm9jArFFBDQl+nYsZwOxhQUMJJ7c28sMETeU6Jj0EKpm EqPE3/s1IDaLgIpE254/YHN4BWIkmj6vhTrqC5vE10d32UESnALGEgdXXAJrZhQQk/h+ag2Y zSwgLnHryXwmiPcEJJbsOQ/1qqjEy8f/WCHq4yXaXk+FiitIHJ7dwg5hy0pcmt/NCGH7Stzp ng8OAAmBC4wSc6/OYINIaEksvX4MaBAHkJ0t8fS/F0RYTeLz0ytQM2Ukzjd8ZoLo3cgm8ef/ c6YJjAazkNwHYetILNj9iQ3C1pZYtvA18yywpwUlTs58wrKAkWUVo0JicVJxbkl+aUliQaqB oV5xZW4yiEgEpo5kveT83E2M4PTxQ3IH45ETPocYBTgYlXh41dafiRFiTSwDqjzEKMHBrCTC G/fxVIwQb0piZVVqUX58UWlOavEhRmkOFiVxXquJQCmB9MSS1OzU1ILUIpgsEwenVAMj6wfV Ryf+snqVS6rZLNDjeBmWvKh0zZtFt4XZu72+/viX9/vuy8+73nywCfM8qmV3fkIo5xzron1K zh9f77I8p3g8Upd15qdrlgln9GLypvK93Scdf8N1/bubp6brievK2eVrfZg7oe7W7DTeyk8Z 80zWpMwt8nl94dj7hTFsj4tkpqzo6qkTV2Ipzkg01GIuKk4EAORxxTQbAwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsXCFeXNpHts05kYg8u/WC0a/j1kd2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXRtsr7oL/AhUHXixka2C8wNvFyMkhIWAisfz6c9YuRi4OIYHv jBJtDTOYIJwjjBJ325qYIZwXjBLnfx9jAXFYBCYwS/Tc/cEGkZnMJHH7zD1GCOcho8STI5NZ QCazAU1eO72NCcQWEdCU6NuxnA3EFhYwkHhyby8zRNxQomPSQ6iaSYwSf+/XgNgsAioSbXv+ gM3hFYiRaPq8FuqoL2wSXx/dZQdJcAoYSxxccQmsmVFATOL7qTVgNrOAuMStJ/OZIN4TkFiy 5zwzhC0q8fLxP1aI+niJttdToeIKEodnt7BD2LISl+Z3M0LYvhJ3uueDA0BC4AKjxNyrM9gg EloSS68fAxrEAWRnSzz97wURVpP4/PQK1EwZifMNn5kgejeySfz5/5wJpF5IIFVi+wx1iBo5 iVW9D1kmMOrMQnI2hK0jsWD3JzYIW1ti2cLXzLPAYSEocXLmE5YFjCyrGBUSi5OKc0tySxIT CzINDPWKK3OTQUQiMG0k6yXn525iBKeO32I7GA/88TnEKMDBqMTD+0LrTIwQa2IZUOUhRmkO FiVx3s0xX6KFBNITS1KzU1MLUovii0pzUosPMTJxcEo1MFb0uvn846/yfXLj9Jrt3lW3J3xN aWfcHl/f0zqziGkb/4kNSqYJZwt/zwi/2H5fWDT/t5HV/8+7ub6qTMr4ZKx39+/9GT8LL0vd 3VW4T1vdiP/+K9UzjJwnksI0/1ZJzzOexS/eOW9vyZFnneeOlmZOvHKWT6h45Yp9HGon+25/ veB274/T5mlKLMUZiYZazEXFiQCkwABe/gIAAA==
X-CFilter-Loop: ASB04
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/lMB89sd0fjvwc65s6mYnGEZE3Bo>
Subject: Re: [openpgp] [EXT] Re: AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 21:29:46 -0000

> From: openpgp <openpgp-bounces@ietf.org> On Behalf Of Werner Koch
> Sent: Tuesday, April 23, 2019 1:11 AM
> I am not sure about the context.  Are you talking about the partial length encoding or about the AEAD chunk size, a modification of AEAD to allow detection of transmission errors before the end of the data?

Is the disconnect between Werner and many of those replying just whether it's meaningful to have 3 security levels instead of 2?

Level 1: The receiver verified the signature computed over all the data. The data is from Alice.
Level 2: The receiver verified AEAD chunks but not the signature. The data is a prefix of data sent by someone who had the decryption key to that data.
Level 3: The receiver verified neither AEAD chunks nor the signature. The data could be from anyone. It could be from your friend Alice, but modified by Eve in a way that compromises its confidentiality.

If one's threat model lumps levels #2 and #3 into one "untrusted" bucket, then AEAD is purely a convenience mechanism.

If one's threat model aims to protect downstream code that is robust against RCE attacks but weak against information disclosure attacks, then AEAD chunks provide measurable security.

> For all other purposes I propose to use a different protocol on top of OpenPGP a (e.g MIME) and not to overload OpenPGP with unneeded stuff.

I think we can let people rely on OpenPGP to differentiate above levels #2 and #3 without making the OpenPGP protocol any more complicated. The maximum size for chunks just needs to be "small-ish": the value this thread was trying to define.

-Neil

Aside: An even safer way to use AEAD would be to sign something derived from the decryption key and place that signature before the AEAD Encrypted Data Packet. Thus when a library streams out checked AEAD chunks, those chunks are known to be prefixes of a message that Alice sent. This is the strongest security guarantee possible with a pure streaming interface. I think it would only be useful in an environment where unsigned data is always rejected. And this would complicate the spec!

Re: [openpgp] AEAD Chunk Size Justus Winter
[openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Ronald Tse
Re: [openpgp] AEAD Chunk Size Ronald Tse
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Hanno Böck
Re: [openpgp] AEAD Chunk Size - Performance Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size - Performance Bart Butler
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size brian m. carlson
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size - Performance Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Sebastian Schinzel
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Werner Koch
Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
Re: [openpgp] AEAD Chunk Size Sebastian Schinzel
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Werner Koch
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Werner Koch
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
Re: [openpgp] AEAD Chunk Size Peter Pentchev
Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Vincent Breitmoser
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Bill Frantz
[openpgp] WTF (Re: AEAD Chunk Size) Andre Heinecke
Re: [openpgp] AEAD Chunk Size Werner Koch
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Werner Koch
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Marcus Brinkmann
Re: [openpgp] AEAD Chunk Size Nickolay Olshevsky
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Tobias Mueller
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Bill Frantz
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Marcus Brinkmann
Re: [openpgp] AEAD Chunk Size Bill Frantz
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Peter Gutmann
Re: [openpgp] AEAD Chunk Size Peter Gutmann
Re: [openpgp] AEAD Chunk Size Peter Gutmann
Re: [openpgp] AEAD Chunk Size Peter Gutmann
Re: [openpgp] AEAD Chunk Size Bill Frantz
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Marcus Brinkmann
Re: [openpgp] AEAD Chunk Size Marcus Brinkmann
Re: [openpgp] AEAD Chunk Size Peter Gutmann
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Peter Gutmann
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Wyllys Ingersoll
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size brian m. carlson
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Benjamin Kaduk
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Benjamin Kaduk
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Peter Gutmann
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Benjamin Kaduk
Re: [openpgp] AEAD Chunk Size Conrado P. L. Gouvêa
Re: [openpgp] AEAD Chunk Size Conrado P. L. Gouvêa
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Neal H. Walfield
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Jon Callas
Re: [openpgp] AEAD Chunk Size Heiko Stamer
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Bart Butler
Re: [openpgp] AEAD Chunk Size Derek Atkins
Re: [openpgp] AEAD Chunk Size Werner Koch
Re: [openpgp] AEAD Chunk Size Benjamin Kaduk
Re: [openpgp] [EXT] Re: AEAD Chunk Size Neil Hunsperger