Re: [openpgp] On Streaming and Chunking
ianG <iang@iang.org> Thu, 26 March 2015 14:07 UTC
Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574DE1A88C8 for <openpgp@ietfa.amsl.com>; Thu, 26 Mar 2015 07:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1CZ40qXrdX0 for <openpgp@ietfa.amsl.com>; Thu, 26 Mar 2015 07:07:21 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56BBE1A8700 for <openpgp@ietf.org>; Thu, 26 Mar 2015 07:07:21 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id F2A736D787; Thu, 26 Mar 2015 10:07:19 -0400 (EDT)
Message-ID: <55141296.5050206@iang.org>
Date: Thu, 26 Mar 2015 14:07:18 +0000
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <CA+cU71kTbjZd8Kz1qxJfA9XQDu+Lju6VhWHVCqwagEC8f0UEzQ@mail.gmail.com>
In-Reply-To: <CA+cU71kTbjZd8Kz1qxJfA9XQDu+Lju6VhWHVCqwagEC8f0UEzQ@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/toa_X8EaTLwM1vALiatjFEmfeqI>
Subject: Re: [openpgp] On Streaming and Chunking
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 14:07:23 -0000
On 24/03/2015 12:25 pm, Tom Ritter wrote: > Adam's post on streaming API's has been posted before: > https://www.imperialviolet.org/2014/06/27/streamingencryption.html > > The same problem is the root cause of the Java GCM CipherInputStream > issue: http://blog.philippheckel.com/2014/03/01/cipherinputstream-for-aead-modes-is-broken-in-jdk7-gcm/ > > But I haven't seen any discussion of Adam's point that one _can_ > construct a format for chunking and authenticating the chunks (and > ordering thereof) to provide authenticated streaming. And that someone > has already done so: > https://github.com/kaepora/miniLock#4-file-encryption > > I think support for a mode like this would be good to consider, and I > think if IPR allows it, a fully-specified design for it is a good > place to start. Part of the problem here is that there are a few too many moving parts. One moving part in particular is the interface design. It has been an article of faith for a long time that the crypto libraries should deliver to the application a CIPHER metaphor, and that's good enough for any programmer. And a MAC metaphor. And a MODE metaphor. Which has gradually morphed into a CIPHER/MODE/MAC metaphor. Instead it would be better if the crypto library delivered a PROTOCOL metaphor. For an example of this, look to djb's cryptobox. It delivers a complete arrangement for doing authentication using private/public keypairs. I do something similar, I call them Cryptors or Bees, to indicate they do "stuff" that isn't amenable to any easy boxing. Part of the fight against this move up the stack is the 'standardisation' argument, but this is only partially correct. It is entirely possible to standardise around djb's example. Just uncomfortable for some. Now, with this in mind, why does this cause a problem? Well, as there is more and more cruft added into the Java Cipher class, it is inevitable that they are going to get it wrong at some point. Taking from the above links: Cipher c = Cipher.getInstance("AES/GCM/NoPadding", "BC"); That's just an open door for trouble, it's the cryptoplumbing equivalent of a goto. iang ps; I'm not entirely convinced I have the above argument fulsome and correct. It's a sort of evolving critique against crypto libraries, there is something there/wrong, and I'm slowly trying to tease out what it is.
- [openpgp] On Streaming and Chunking Tom Ritter
- Re: [openpgp] On Streaming and Chunking ianG
- Re: [openpgp] On Streaming and Chunking Peter Gutmann