Re: [openpgp] encrypted packets' quick integrity check
Tom Ritter <tom@ritter.vg> Thu, 10 March 2016 04:31 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 381D312DD8D for <openpgp@ietfa.amsl.com>; Wed, 9 Mar 2016 20:31:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ritter.vg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJk0iZCse6z6 for <openpgp@ietfa.amsl.com>; Wed, 9 Mar 2016 20:31:35 -0800 (PST)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B00312DD8C for <openpgp@ietf.org>; Wed, 9 Mar 2016 20:31:35 -0800 (PST)
Received: by mail-yw0-x234.google.com with SMTP id g127so58456942ywf.2 for <openpgp@ietf.org>; Wed, 09 Mar 2016 20:31:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=vFDY3Nn91okykC6ySfiyvYGHkyILWYf3rube/NjGk+c=; b=JvaOhqvjjwaUbcBvErmDrlbMy29FHmYhrJu0q2Yv3vhQzhDHSpbBCqaxs2FP8f4VF4 BaTPxhBLwvsq6CmKGKN8VCCa/gAJXSX4XFl/jfclAo8HZYhpouWeDJhe941klEP299R6 fWMsokWfmz/t6/ltFeDXLBPSEXtSXBGWpv7nM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=vFDY3Nn91okykC6ySfiyvYGHkyILWYf3rube/NjGk+c=; b=V/I5wKS8UJ7Gr+DPrK3+/x8Gj690mqzsE0boSya6yA6WsWo6B2ikgcRYut7cb0TUN/ mmmjhxRSYBKk2PLwFg+nfYAb2suG++I3RaSaLg0tnesq1+5bZslBlh9Z+zkxsO11weS9 DPYkpHzvyiXIreppFQz9wlppFMPy/o4kgMWzJQ7WjfTIUL/79vF2fLp6Ov3KFq2pyYnX Vt3MsDa8xPXIZWQo636H8ntNNrW20WaiDcRNUd7/Z8HO51vb/Ubk33WdIO1z5TVXCEHn gm6PilBDyJRmN+NzKBmuKuginOAn7pyvIcbNh00HIcOuEQFqW7DNmkXFFLu1tjY3BJk9 bL1Q==
X-Gm-Message-State: AD7BkJKRt8UwXWA799YnsvQ9WHdkU6HlqAuTfJq1tzdZbn6O4BUWHLJJKOIy5US1S2HEGay4tWCLSJfRp25FX90r
X-Received: by 10.129.88.69 with SMTP id m66mr711664ywb.332.1457584294599; Wed, 09 Mar 2016 20:31:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.126.197 with HTTP; Wed, 9 Mar 2016 20:31:15 -0800 (PST)
In-Reply-To: <87oaap86wr.wl-neal@walfield.org>
References: <87oaap86wr.wl-neal@walfield.org>
From: Tom Ritter <tom@ritter.vg>
Date: Wed, 09 Mar 2016 22:31:15 -0600
Message-ID: <CA+cU71=vqnoeT4jMjED6-barr3QT8Jehf1vwSSdYN-rFOcHo8w@mail.gmail.com>
To: "Neal H. Walfield" <neal@walfield.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/lruuWsJ6dshuJ5g5iVKQ-sWZu1A>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] encrypted packets' quick integrity check
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2016 04:31:37 -0000
On 8 March 2016 at 06:56, Neal H. Walfield <neal@walfield.org> wrote: > Hi, > > I recently took a look at the Mister and Zuccherato attack on the > quick integrity check in encrypted packets (i.e., that the last two > bytes of the IV are correctly repeated)and I have two suggestions for > RFC4880bis. > > > The attack relies on finding the correct values for the quick > integrity check using an exhaustive search. This can be defeated by > making an exhaustive search unfeasible. Concretely, instead of just > copying the last two bytes of the random IV, we replicate the whole > IV. If we use a chunked AEAD mode that is safe for streaming (which I think we should) - can we just do away with the quick check entirely? -tom
- [openpgp] encrypted packets' quick integrity check Neal H. Walfield
- Re: [openpgp] encrypted packets' quick integrity … Tom Ritter
- Re: [openpgp] encrypted packets' quick integrity … Jonas Magazinius