Re: [openpgp] AEAD Chunk Size

Sebastian Schinzel <schinzel@fh-muenster.de> Wed, 13 March 2019 06:32 UTC

Return-Path: <schinzel@fh-muenster.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62257130E8D for <openpgp@ietfa.amsl.com>; Tue, 12 Mar 2019 23:32:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nF3Ky9wbAGQs for <openpgp@ietfa.amsl.com>; Tue, 12 Mar 2019 23:32:18 -0700 (PDT)
Received: from mail.fh-muenster.de (mail.fh-muenster.de [212.201.120.190]) by ietfa.amsl.com (Postfix) with ESMTP id 910FD12008F for <openpgp@ietf.org>; Tue, 12 Mar 2019 23:32:17 -0700 (PDT)
Received: from [192.168.1.80] (x2f4277b.dyn.telefonica.de [2.244.39.123]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ss560221) by mail.fh-muenster.de (Postfix) with ESMTPSA id 409082846E8 for <openpgp@ietf.org>; Wed, 13 Mar 2019 07:32:15 +0100 (CET)
From: Sebastian Schinzel <schinzel@fh-muenster.de>
To: openpgp@ietf.org
References: <87mumh33nc.wl-neal@walfield.org> <87d0n174w6.fsf@wheatstone.g10code.de>
Openpgp: preference=signencrypt
Autocrypt: addr=schinzel@fh-muenster.de; prefer-encrypt=mutual; keydata= mQINBFOa+aQBEADFp3ZEX5454aNLUNuYBsrD65WKrXRzU5v1KAWCcm14fzqn1wbfjheSe3Rt EfsxQjHdCb9vJWv2A1j4ZIA7AUcfs8GFOYIkCTAeFtJ1XuFbyPJO+gO9jnWk9+Af3Pt5RVAq 4ReOTVF19v+VS02jNe0lEAMxmqhKGuKHWe4yhRigS+QHCnd3davvcWpyPbjFAE4RHfKkbej9 mNXFlC21u/kKyXr/PJ+1HkJ0lMXZ7CM4unJV0mPk+Z0r5meyGZBxOoJpJO9V/bc69u2jgF/3 wVnOIAwGiPJxLn7PFQ+k8Bs14X+ZVGEbk0iRmnRqFQgptkw5J0sRUiPij6CApyqEqUKQfzAk KXH3wEWQjCrm8dcucwIl7bWYFId/PMJDuh3Pj8kXVhxSZd0oTwCJiPnetI2ltAT8BpAO+6XF WTd7k5VH+HaJ3d607UhKsO8x1yt78v3/YrbN2uehG87sEtCk0DTPFzCJR/EI42QGIBDiQIi+ WvhofaEFSyLpwuDWvFJReXdm1Vz78AvOwDB+/HJHnePQYAP+F1owupJtK5ifluJ2A6isbFIj pIZDn8n1xXbuScMrFRsF7wlCnuBbfAlheb5cTucXCD8A18Zqb7q1sYtA3K5GgTbR47jUTM5d E2DxPHrZJ5dcfzercSavWEO5rKJPTpFGi1REA2vUOww6XkUFqQARAQABtCxTZWJhc3RpYW4g U2NoaW56ZWwgPHNjaGluemVsQGZoLW11ZW5zdGVyLmRlPokCPgQTAQoAKAIbAwYLCQgHAwIG FQgCCQoLBBYCAwECHgECF4AFAll/HL8FCQ9KJJsACgkQak2UVL9+7zVtJA//ZUwXrdxsHf0n RXqNaQ3yWN1Bj//KN0OQFyqBv+aVqmvqn6gPGpW8u1xRht3DQxtGCNN7x2QAsI9meUkETPqG 36P4KTjkRDHcXIVmyyxKXKxNCpa0w4hC5fGhR4h9PIHTSgAqPCB7Hi6JSveDHf4AyO0gNkez dQ8OGHT4uwLwH9ELR7An9F3asF8L5Ym7xTqBRrWtfXsQG+UnWO+oJXrLKsaB7k3iQWK6Ms9x LKVNphJh7PWw/l9dvlGN/HpnT/JNI+QoCzgO1Qyq1ixKFwj+wJXF/Tgrrkp4g7lZJc5ldZju gudXltEolN7lGYTtjvm2Qu3ubOAFWqSdMUEHMZRL7mWmff4td0foasuUX5KPa9F1TKip3G9A WyHNOR/nqIxzGCyylMEsjHCaCiwqLScBa1OHs7QTHUEtCw6oaHDvohLuKY9FKypieLkyzTp/ PpQR+NRQfk3JD3W0YAhMO8vDIHthA0JUk9ms+WObDqb/aVuKiHkZ3wiibArP/CR5S/7Z6HTS 2pTGIkGd+/qDKlAfz7+KLmb5mDRiDPmVn1keHPy8v86o9ZaxcalAdZ7wwmJrLu6CBitKRFIL mvY9LjeTYqtYEakS5xl6yTG+7ybGrkUycMLs1mmrrJ8CH9AAlLAVmpTKlGQrEiDusp/6R/fQ EVTUtqCJpb+XugVhvl/+H7e5Ag0EU5r5pAEQANSMW8nfA44amRxmxyfCbN4YFD8knSZN8QOW fR/JV6UTUWnHmdxkg01RHEA43o0Ec0rCJdGFhCj5wtii4UimMLLgLIWIrneKNkNrrU9HnOJw qv81etFvmIny1l6ac7Z6MAVf4jssVXq4ZjI1SLXz3FDGPY09wraafiHvzirQO5FUzfdM6/PA 0TOQ0jkCO7kE/mtMXq1Qbb17NOY+ixzx260Er5TSunFKKVDPCelFS1aAEwnXpb/chLb4luVb Fb67jkpIJTF+rc3it5G4Q2RxFgmky/n/XA+HM3UAMjyteASPSrHi7JkjerOibudK3bZ1OIxc 2MOSTOBJuJc7KZ7a8chr8TiQcABz5KNpYlHEPbR4P/dYdwPcnKtAaZev1Zpm1CfRJFumnsSV RuoQWxeVJgd3L8zkcCib9K8fOIy0iAXb5q1ganOWmxJ26xzFHF/IVvt92IYV635nAAbt5M6V 3Oqj9w6XHTTwNMHtL7D1EaVqdzVxmEd3DXjoYCMiLW8rdmeL28wpS6qONDQcBTfHdNJEmZxa SC9q5lKNjmzUT+TmJYlmAy3q1FvC0feChd+QbOzJkUbYaw+MlHsdn18c+YGER3xTeK4yAxVm VLLDSzKkT+cXiypGZHsoj7ODxAY4H1iRkegZtXw/FyuCzGjewkeAbZ3Ih8FevLK44Dp2PMpj ABEBAAGJAiUEGAEKAA8CGwwFAll/HM4FCQ9KJKoACgkQak2UVL9+7zWenA//ZvwzOE1vosy6 VOTfuIs4fdx/0qxIRKaAyuQzKDEH+OhzgugFs76vBS143mWJ44jk4YvifKEVG0OomPNFs2q/ 2FjDPr1b5QUOGeTV2Cs3HoMr9mOp1OvO748RW3MHWBx5dof1Jlb4jXuatBbxSf9tp6b9JLNd gD9s3tvGog7bLhoGyHRzN9kG8GlHwEwGxuVjevkVcvtROfqdPqf/9Es9W4g4Sru6Z0bfW5fE Yrt8qSMllfis0colsHaXPpO0AmtVwDO5i7bMFfADAUcUzXFWnqsaCkZr0lj8bLrXCOSCPgFe rNcJFnoiH0FgbbFisQfM/T10lan/ZbSuCtQICGmfYmnu4uaiZFq4Y/4rEwSCLesyqrsJ6ps3 P8FO6PagYKZQ/TtSYNREy/LF1wsS6LccmDLU5QOfSx2E3uHRAOKnTARjrEOvPmRz6ILagOXL zDU8yQbjoqyQLbS/Ow2B/i38L/2Xo/xJ1JTF/LwyQ0HNonEC8Y48V3eBtGiw2LFFO8c8Cdgk t3h5BoTQAZsvrCvfSxMG5S307auaEJ+e+JiN2WZk/QUbAg+CpuGhjtz1LpG6KlA1k3pgWDpN zLOPLANGHQ8IQtKY4rnbAykdVavIGOnPj392VL5Pbpk+fqfDiKJ0DjODjoayR+SXdKIL+KFH ymIDIdjRsvAC1KRImp6PDpo=
Message-ID: <e66e0572-ea5e-c691-b188-25784a206e21@fh-muenster.de>
Date: Wed, 13 Mar 2019 07:32:14 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <87d0n174w6.fsf@wheatstone.g10code.de>
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/lgKdAWyYpV982tYwVYt-WxXyZ9Y>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 06:32:20 -0000

Am 01.03.19 um 15:50 schrieb Werner Koch:
>> Consequently, I propose not only imposing a reasonable ceiling on the
>> chunk size that even small embedded devices with a cortex M0 could
>> handle, but to simply fix the parameter to 16 KiB.  It's not clear to
> 
> Without sufficient storage a smaller chunk size does not help you in any
> way.  You can still run a truncation attack and by that time the
> preceding chunks have already been processed in some way because, well,
> there was no way to store the entire message.  Without the final chunk
> you have an incomplete and thus unauthenticated message because the
> sender authenticated the entire message and not certain parts of it.

Chosen ciphertext attacks and truncation attacks are two different
attack classes, with different assumptions on the plaintext format and
the necessary attacker capabilities.

Neal's proposal to mandate a small and fixed chunk size can solve
ciphertext malleability for future OpenPGP applications. Waving this
proposal off, just because it won't also solve truncation attacks, does
not make sense.

Best
Sebastian