Re: [openpgp] AEAD encrypted data packet with EAX
"brian m. carlson" <sandals@crustytoothpaste.net> Mon, 03 July 2017 17:06 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DBF7129503 for <openpgp@ietfa.amsl.com>; Mon, 3 Jul 2017 10:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bRej2JRkvX8 for <openpgp@ietfa.amsl.com>; Mon, 3 Jul 2017 10:06:34 -0700 (PDT)
Received: from castro.crustytoothpaste.net (castro.crustytoothpaste.net [75.10.60.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96E041267BB for <openpgp@ietf.org>; Mon, 3 Jul 2017 10:06:34 -0700 (PDT)
Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id 9B6B1280AD for <openpgp@ietf.org>; Mon, 3 Jul 2017 17:06:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1499101593; bh=UhgBseBwAMEckEHEfNUGH3AbimM9h2o7UBbH7+Jrg/U=; h=Date:From:To:Subject:References:In-Reply-To:From; b=jMLEyD6Lww4muOEjacjYM4563rBUUn2aNYRl2abIjHUzurho/BsYU2kt3rg0+CO0E r449igjoW61gHGj00I455CIY5cjio75OQZfHib41kR6p3ggURQBGjwoVB2l1lEFbiO pmXNFnhjO36nKapqb8y8cNN9XMDPqflYpylUiS1eKt+DDmHrSo9r0pyWR7jkyNG5lL rqo9hJhEKeKuwujh4F+ht0xuEBkqOUt7y39QD8dTC8Q4b9UtMQ4vbq1t3Yn0UlETyo XkMzEvJ3FUicSxPT/cCFF5JWxhh/vp8VC5XMdwqU/n7XExuJ6U8kaXjSKYzyMNGvzs Uey+Ruqydm+VXeMEBscjb6FRj49mh52dOHt5ctiqf4w7Q+a4+PBwqMy8JCQerfpCFs Jd2ky8baJAWHnoOLQtxI4UKnsDTkLGkdavTwc0CyY01BKblrcOm8PKGdoSZNVBtbtN 9moz9cg4wZ4+6nG9oCAzsVGx2P7AD/qzD9+hFAAiEStWJCqTD4p
Date: Mon, 03 Jul 2017 17:06:28 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <20170703170628.6wn5r4o7d7c4gwdh@genre.crustytoothpaste.net>
References: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net> <20170703160056.e4a2chvq6qvki4a4@genre.crustytoothpaste.net> <871spxtqvs.fsf@wheatstone.g10code.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="f6ugfscfcxqj7fft"
Content-Disposition: inline
In-Reply-To: <871spxtqvs.fsf@wheatstone.g10code.de>
X-Machine: Running on genre using GNU/Linux on x86_64 (Linux kernel 4.9.0-3-amd64)
User-Agent: NeoMutt/20170609 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/oUq0ebwcdP3ZZNEig5N3mmRpPqg>
Subject: Re: [openpgp] AEAD encrypted data packet with EAX
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2017 17:06:37 -0000
On Mon, Jul 03, 2017 at 06:41:11PM +0200, Werner Koch wrote: > On Mon, 3 Jul 2017 18:00, sandals@crustytoothpaste.net said: > > > Were there opinions on this proposal? Do people like it, dislike it, > > I have an opinion on your proposal but wanted to give others time to > reply first ;-). I have had too many other open tasks this year so that > my editorial work was too much delayed, I am sorry for this. > > I have two points, briefly: > > 1. The prior discussion showed that it will be hard to find a common > conclusion on what algorithm to use. Thus instead of having one > fixed algorithm, I will propose a modification to make the new packet > format extensible. I know that this had a lot of drawbacks and > having only one algorithm would be far better than a bunch of > algorithms which we may all need to implement. But the advantage of > allow other algorithms will give the implementers more options to > to show in practice the advantages of different algorithms. Yes, I tend to agree. Did you feel the existing extensibility mechanism in my proposal (cipher algo, AEAD algo, chunk size) was insufficient or did you have something else in mind? > 2. We really should have a way to early detect a corrupt message - not > necessary an attack but for example a bit flip somewhere on the > channel. Inserting a running checksum (say, every 1GiB) would solve > this. Obviously this depends on the algorithms, so that the existing > cipher state can be used for such a checksum. A hackish way to that > could be to take the internal state of the algorithm, hash it and > insert it into the stream. A cleaner solution would require several > concatenated cipher streams. I think my proposal actually implements that. Since my chunk proposal contains the chunk index (basically, an incrementing counter), as long as we have the key, we can immediately tell if any chunk is corrupt simply by knowing the chunk size and authentication tag length. That allows random-access to data if, for example, you know that all of your data is uncompressed tar archives. If we want something simpler in addition, we could reuse the CRC24 as most implementations will require it for the ASCII armor format. -- brian m. carlson / brian with sandals: Houston, Texas, US https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204
- [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH] Add AEAD Encrypted Data Packet … brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- [openpgp] [PATCH 1/3] Add AEAD Encrypted Data Pac… brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH 3/3] Add AEAD mode for Secret Ke… brian m. carlson
- [openpgp] [PATCH 2/3] Define AEAD mode for SKESK … brian m. carlson
- Re: [openpgp] [PATCH 1/3] Add AEAD Encrypted Data… brian m. carlson