Re: [openpgp] AEAD encrypted data packet with EAX

"brian m. carlson" <sandals@crustytoothpaste.net> Mon, 03 July 2017 17:06 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DBF7129503 for <openpgp@ietfa.amsl.com>; Mon, 3 Jul 2017 10:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bRej2JRkvX8 for <openpgp@ietfa.amsl.com>; Mon, 3 Jul 2017 10:06:34 -0700 (PDT)
Received: from castro.crustytoothpaste.net (castro.crustytoothpaste.net [75.10.60.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96E041267BB for <openpgp@ietf.org>; Mon, 3 Jul 2017 10:06:34 -0700 (PDT)
Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id 9B6B1280AD for <openpgp@ietf.org>; Mon, 3 Jul 2017 17:06:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1499101593; bh=UhgBseBwAMEckEHEfNUGH3AbimM9h2o7UBbH7+Jrg/U=; h=Date:From:To:Subject:References:In-Reply-To:From; b=jMLEyD6Lww4muOEjacjYM4563rBUUn2aNYRl2abIjHUzurho/BsYU2kt3rg0+CO0E r449igjoW61gHGj00I455CIY5cjio75OQZfHib41kR6p3ggURQBGjwoVB2l1lEFbiO pmXNFnhjO36nKapqb8y8cNN9XMDPqflYpylUiS1eKt+DDmHrSo9r0pyWR7jkyNG5lL rqo9hJhEKeKuwujh4F+ht0xuEBkqOUt7y39QD8dTC8Q4b9UtMQ4vbq1t3Yn0UlETyo XkMzEvJ3FUicSxPT/cCFF5JWxhh/vp8VC5XMdwqU/n7XExuJ6U8kaXjSKYzyMNGvzs Uey+Ruqydm+VXeMEBscjb6FRj49mh52dOHt5ctiqf4w7Q+a4+PBwqMy8JCQerfpCFs Jd2ky8baJAWHnoOLQtxI4UKnsDTkLGkdavTwc0CyY01BKblrcOm8PKGdoSZNVBtbtN 9moz9cg4wZ4+6nG9oCAzsVGx2P7AD/qzD9+hFAAiEStWJCqTD4p
Date: Mon, 03 Jul 2017 17:06:28 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <20170703170628.6wn5r4o7d7c4gwdh@genre.crustytoothpaste.net>
References: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net> <20170703160056.e4a2chvq6qvki4a4@genre.crustytoothpaste.net> <871spxtqvs.fsf@wheatstone.g10code.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="f6ugfscfcxqj7fft"
Content-Disposition: inline
In-Reply-To: <871spxtqvs.fsf@wheatstone.g10code.de>
X-Machine: Running on genre using GNU/Linux on x86_64 (Linux kernel 4.9.0-3-amd64)
User-Agent: NeoMutt/20170609 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/oUq0ebwcdP3ZZNEig5N3mmRpPqg>
Subject: Re: [openpgp] AEAD encrypted data packet with EAX
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2017 17:06:37 -0000

On Mon, Jul 03, 2017 at 06:41:11PM +0200, Werner Koch wrote:
> On Mon,  3 Jul 2017 18:00, sandals@crustytoothpaste.net said:
> 
> > Were there opinions on this proposal?  Do people like it, dislike it,
> 
> I have an opinion on your proposal but wanted to give others time to
> reply first ;-).  I have had too many other open tasks this year so that
> my editorial work was too much delayed, I am sorry for this.
> 
> I have two points, briefly:
> 
> 1. The prior discussion showed that it will be hard to find a common
>    conclusion on what algorithm to use.  Thus instead of having one
>    fixed algorithm, I will propose a modification to make the new packet
>    format extensible.  I know that this had a lot of drawbacks and
>    having only one algorithm would be far better than a bunch of
>    algorithms which we may all need to implement.  But the advantage of
>    allow other algorithms will give the implementers more options to
>    to show in practice the advantages of different algorithms.

Yes, I tend to agree.  Did you feel the existing extensibility mechanism
in my proposal (cipher algo, AEAD algo, chunk size) was insufficient or
did you have something else in mind?

> 2. We really should have a way to early detect a corrupt message - not
>    necessary an attack but for example a bit flip somewhere on the
>    channel.  Inserting a running checksum (say, every 1GiB) would solve
>    this.  Obviously this depends on the algorithms, so that the existing
>    cipher state can be used for such a checksum.  A hackish way to that
>    could be to take the internal state of the algorithm, hash it and
>    insert it into the stream.  A cleaner solution would require several
>    concatenated cipher streams.

I think my proposal actually implements that.  Since my chunk proposal
contains the chunk index (basically, an incrementing counter), as long
as we have the key, we can immediately tell if any chunk is corrupt
simply by knowing the chunk size and authentication tag length.  That
allows random-access to data if, for example, you know that all of your
data is uncompressed tar archives.

If we want something simpler in addition, we could reuse the CRC24 as
most implementations will require it for the ASCII armor format.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204