Re: [openpgp] Questions around AEAD packets

Tom Ritter <tom@ritter.vg> Tue, 14 February 2017 16:41 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EAB31293DC for <openpgp@ietfa.amsl.com>; Tue, 14 Feb 2017 08:41:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ritter.vg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UD2lEUCtMOQ9 for <openpgp@ietfa.amsl.com>; Tue, 14 Feb 2017 08:41:35 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 851C81296A4 for <openpgp@ietf.org>; Tue, 14 Feb 2017 08:41:35 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id 11so127174022qkl.3 for <openpgp@ietf.org>; Tue, 14 Feb 2017 08:41:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=eAFcVJgFi1X4X4ZN0sNGjyvtL0nFcJoqPElHJXIcvnw=; b=Blld8GEXmbJ2WIDd2mn7BdfnSb0pLvMz0kT9YG9FdDa03tBndYhdxh5M4vUzXWYWNw pyR/4ORbe0ZcMxj39AbqmpfLr5eUYATtcf2ZYxskjWAAXvMzNc8gWLC30//CTeb7Bxwz A0VfN+xkCNzYo7skeS0Yfm0vbqtzudCyXiyX0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=eAFcVJgFi1X4X4ZN0sNGjyvtL0nFcJoqPElHJXIcvnw=; b=p8YOTz0/lzW6KLA9KDR2BQsf7Wc2jyR1m3qHGdWYfBt+Fid/KvY0g3KpNy3fPJTgjv 5QccZpce7x9TEuM5409+X2D0QlYli2MczBF/hAL6SkeOKDC8kn52RH78S/Lg5QpP+PnR SUg/sV/xwSp8HE/idtZSUdID+kLcHRXpgOUfytv0IHJO6cIk9T5DBDXKHZhCtL/vG25v eEt6PDJV+EgqDwcSNOtR+ijcwH2i5m92FuVxRxHvczGwV+C58ZKiCiyM6idjx7Mh851M pU7URwG+GYHgpcvH5dt5jf4d9TuNZawYUtCnjvt1YmgNBs2JCsYfFON1CaRqne0GDfvO QOkg==
X-Gm-Message-State: AMke39l03oxp47R09dQ72qZgQNdd+e5+q0SruFt4mJebFKJ7FzDdQJha8mhqff4K7EN/BU07252jiUmIwx5A2sLS
X-Received: by 10.55.27.13 with SMTP id b13mr3153687qkb.246.1487090494235; Tue, 14 Feb 2017 08:41:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.94.244 with HTTP; Tue, 14 Feb 2017 08:41:13 -0800 (PST)
In-Reply-To: <87shnhxhah.fsf_-_@wheatstone.g10code.de>
References: <CE43260E-D723-4B00-9E81-B5F81142121F@icloud.com> <87shnhxhah.fsf_-_@wheatstone.g10code.de>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 14 Feb 2017 10:41:13 -0600
Message-ID: <CA+cU71koLVX=1pp-_vbSQM40tA4=qitT9EpHhQ0RjmpKtsbHrA@mail.gmail.com>
To: IETF OpenPGP <openpgp@ietf.org>, "brian m. carlson" <sandals@crustytoothpaste.net>, Jon Callas <joncallas@icloud.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/w2YM4GQpGX2xshQ40ZSMiaDgAVo>
Subject: Re: [openpgp] Questions around AEAD packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 16:41:37 -0000

On 14 February 2017 at 03:17, Werner Koch <wk@gnupg.org> wrote:
>  3. How can we do early detection of corruption?  When decrypting
>     several gigs we should be able to detect corrupted data after having
>     processed, say, one gig.  Shall such a feature be configurable?
>     Shall we link it to partial length headers.
>
> My ideas here are:
>
>  re 3: The simplest idea would be to use fixed chunks of the ciphertext
>        and either link them together using a counter or the hash of the
>        previous authentication tag.  The packet header would give the
>        length of the chunks in blocks.  It needs to be decided whether a
>        final one-block chunk is okay.

This seems the same question/solution of some sort of authenticated
chunked-streaming mode.  I mentioned this a couple years ago but
didn't get much discussion:
https://www.ietf.org/mail-archive/web/openpgp/current/msg07546.html

-tom