Re: [openpgp] On Streaming and Chunking

ianG <iang@iang.org> Thu, 26 March 2015 14:07 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574DE1A88C8 for <openpgp@ietfa.amsl.com>; Thu, 26 Mar 2015 07:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1CZ40qXrdX0 for <openpgp@ietfa.amsl.com>; Thu, 26 Mar 2015 07:07:21 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56BBE1A8700 for <openpgp@ietf.org>; Thu, 26 Mar 2015 07:07:21 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id F2A736D787; Thu, 26 Mar 2015 10:07:19 -0400 (EDT)
Message-ID: <55141296.5050206@iang.org>
Date: Thu, 26 Mar 2015 14:07:18 +0000
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <CA+cU71kTbjZd8Kz1qxJfA9XQDu+Lju6VhWHVCqwagEC8f0UEzQ@mail.gmail.com>
In-Reply-To: <CA+cU71kTbjZd8Kz1qxJfA9XQDu+Lju6VhWHVCqwagEC8f0UEzQ@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/toa_X8EaTLwM1vALiatjFEmfeqI>
Subject: Re: [openpgp] On Streaming and Chunking
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 14:07:23 -0000

On 24/03/2015 12:25 pm, Tom Ritter wrote:
> Adam's post on streaming API's has been posted before:
> https://www.imperialviolet.org/2014/06/27/streamingencryption.html
>
> The same problem is the root cause of the Java GCM CipherInputStream
> issue: http://blog.philippheckel.com/2014/03/01/cipherinputstream-for-aead-modes-is-broken-in-jdk7-gcm/
>
> But I haven't seen any discussion of Adam's point that one _can_
> construct a format for chunking and authenticating the chunks (and
> ordering thereof) to provide authenticated streaming. And that someone
> has already done so:
> https://github.com/kaepora/miniLock#4-file-encryption
>
> I think support for a mode like this would be good to consider, and I
> think if IPR allows it, a fully-specified design for it is a good
> place to start.



Part of the problem here is that there are a few too many moving parts.



One moving part in particular is the interface design.  It has been an 
article of faith for a long time that the crypto libraries should 
deliver to the application a CIPHER metaphor, and that's good enough for 
any programmer.  And a MAC metaphor.  And a MODE metaphor.  Which has 
gradually morphed into a CIPHER/MODE/MAC metaphor.

Instead it would be better if the crypto library delivered a PROTOCOL 
metaphor.  For an example of this, look to djb's cryptobox.  It delivers 
a complete arrangement for doing authentication using private/public 
keypairs.  I do something similar, I call them Cryptors or Bees, to 
indicate they do "stuff" that isn't amenable to any easy boxing.

Part of the fight against this move up the stack is the 
'standardisation' argument, but this is only partially correct.  It is 
entirely possible to standardise around djb's example.  Just 
uncomfortable for some.

Now, with this in mind, why does this cause a problem?  Well, as there 
is more and more cruft added into the Java Cipher class, it is 
inevitable that they are going to get it wrong at some point.  Taking 
from the above links:

    Cipher c = Cipher.getInstance("AES/GCM/NoPadding", "BC");

That's just an open door for trouble, it's the cryptoplumbing equivalent 
of a goto.



iang



ps; I'm not entirely convinced I have the above argument fulsome and 
correct.  It's a sort of evolving critique against crypto libraries, 
there is something there/wrong, and I'm slowly trying to tease out what 
it is.