IETF Logo Mail Archive

Re: [openpgp] AEAD mode unverified chunks

Benjamin Kaduk <kaduk@mit.edu> Sun, 01 July 2018 17:17 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1471130DF5 for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 10:17:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cYHg6ltrK9Dm for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 10:17:47 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E96F126CC7 for <openpgp@ietf.org>; Sun, 1 Jul 2018 10:17:46 -0700 (PDT)
X-AuditID: 12074424-a77ff70000002515-d6-5b390cb961bf
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 42.62.09493.ABC093B5; Sun, 1 Jul 2018 13:17:46 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w61HHi5n020162; Sun, 1 Jul 2018 13:17:45 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w61HHeWH003702 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 1 Jul 2018 13:17:43 -0400
Date: Sun, 01 Jul 2018 12:17:40 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org>, "openpgp@ietf.org" <openpgp@ietf.org>
Message-ID: <20180701171740.GA22125@kduck.kaduk.org>
References: <df7db7b9-b661-7534-1c34-fd63ae2876d9@ruhr-uni-bochum.de> <1530428015814.83795@cs.auckland.ac.nz> <7080a271-6244-13d3-04da-d00a32766de1@ruhr-uni-bochum.de> <1530453318943.37822@cs.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1530453318943.37822@cs.auckland.ac.nz>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnleLIzCtJLcpLzFFi42IR4hRV1t3FYxltcPUGp0X/vBiLhn8P2S1e vnvO6sDscbHxAJPHiWVXWD2WLPnJFMAcxWWTkpqTWZZapG+XwJWx4u9WxoKrXBVHF91mamA8 x9HFyMkhIWAiMe3Ya/YuRi4OIYHFTBK/X61mhXA2MErcPnGKCcK5wiSxZN1zRpAWFgEVia2n L7GB2GxAdkP3ZWYQW0RAV2Ji72Iwm1mgWqKz+SsTiC0sYCTR9/gdO4jNC7RuxZYzzBBDrzJK TLzQCJUQlDg58wkLRLOWxI1/L4GaOYBsaYnl/8BO5QTqvTjvMVi5qICyxN6+Q+wTGAVmIeme haR7FkL3AkbmVYyyKblVurmJmTnFqcm6xcmJeXmpRbrmermZJXqpKaWbGEGhy+6isoOxu8f7 EKMAB6MSD++B3ebRQqyJZcWVuYcYJTmYlER5D4uZRQvxJeWnVGYkFmfEF5XmpBYfYpTgYFYS 4RX9CFTOm5JYWZValA+TkuZgURLnzV3EGC0kkJ5YkpqdmlqQWgSTleHgUJLg7eG2jBYSLEpN T61Iy8wpQUgzcXCCDOcBGl7CBVTDW1yQmFucmQ6RP8VozPHn/dRJzBz7uqdNYhZiycvPS5US 560EGScAUppRmgc3DZR+JLL317xiFAd6TpjXG6SKB5i64Oa9AlrFBLSq+rgpyKqSRISUVANj vzJz/pG43Dv1tgcvRRzXEHcvjrJvlD5SlV773UpR70DT2j676sv3X8x00bYWCTAPuBygpJx9 63WmUbhLa+OZS6wf1l0NOV2WoeFl4tmpM6Npw06m8Cn2wa8TjSfZL87hSPDxn5Ve1ifIeUNl wr4j9xasvpm+aKHQkvJ7rrs+i23zLj4mNFGJpTgj0VCLuag4EQC8J9cqGgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/uAAIZizjjSaPd7sEOa1YV1MQ88w>
Subject: Re: [openpgp] AEAD mode unverified chunks
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2018 17:17:49 -0000

On Sun, Jul 01, 2018 at 01:55:30PM +0000, Peter Gutmann wrote:
> Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org> writes:
> 
> >  If a chunk can not be authenticated, implementations MUST discard the
> >  plaintext of that chunk without further processing
> 
> But that then requires the artificial chunk-size restriction you mentioned in
> an earlier message, which also means you'll start expanding messages if you
> have to break them up into smallish chunks with IVs and MACs and whatnot in
> each chunk...

Aren't we talking about a greenfield new proposal that can in fact mandate
such chunk-size restrictions?

-Ben

> Hmmm, and a comment on the text:
> 
> "A new random initialization vector MUST be used for each message".
> 
> That should be "for each chunk", along with a strong warning about the fact
> that you'll get a catastrophic failure of security if you don't do this and
> use a highly brittle AEAD mode like GCM.  That is, this isn't just some nice
> thing to do like the usual comment about using fresh IVs, you'll get a
> catastrophic security failure if you don't, far more so than with any other
> encryption mode that uses IVs.
> 
> Peter.
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email