Re: [openpgp] AEAD mode unverified chunks
Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de> Sun, 01 July 2018 13:39 UTC
Return-Path: <marcus.brinkmann@ruhr-uni-bochum.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 762D612785F for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 06:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ruhr-uni-bochum.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KHVOe3n72FGQ for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 06:39:23 -0700 (PDT)
Received: from out1.mail.ruhr-uni-bochum.de (out1.mail.ruhr-uni-bochum.de [134.147.53.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE3861277CC for <openpgp@ietf.org>; Sun, 1 Jul 2018 06:39:22 -0700 (PDT)
Received: from mx1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out1.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 41JWhC258nz4yGS for <openpgp@ietf.org>; Sun, 1 Jul 2018 15:39:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ruhr-uni-bochum.de; s=mail-2017; t=1530452363; bh=jKHjj9D4ElCdPLoeyJDUaLM4EUt/1SJf4PpvWFGJ7ac=; h=Subject:To:References:From:Date:In-Reply-To:From; b=mqY/ZQGwieehGRIXSWTyd16GjxPctuTxbHRTs+2m2C1Z/uYEgOj7OnuDTYq5SvIyQ ra8Vamj1yqOY8Jzqoart+7Jj9uj5cFOaIOKZqP2L0lanzqEA831WTaPjw4d/Yz4Lk8 YObp2XOSnC1vsreIw6yWMdd4DLukvj2Nzd3Qp3JY=
Received: from out1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx1.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 41JWhC1KsSz4yH6 for <openpgp@ietf.org>; Sun, 1 Jul 2018 15:39:23 +0200 (CEST)
X-Envelope-Sender: <marcus.brinkmann@ruhr-uni-bochum.de>
X-RUB-Notes: Internal origin=134.147.42.227
Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [134.147.42.227]) by out1.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 41JWhC14mwz4yGS for <openpgp@ietf.org>; Sun, 1 Jul 2018 15:39:22 +0200 (CEST)
Received: from [192.168.142.139] (p5B04976F.dip0.t-ipconnect.de [91.4.151.111]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 41JWgq3sSbzynK for <openpgp@ietf.org>; Sun, 1 Jul 2018 15:39:03 +0200 (CEST)
To: openpgp@ietf.org
References: <df7db7b9-b661-7534-1c34-fd63ae2876d9@ruhr-uni-bochum.de> <1530428015814.83795@cs.auckland.ac.nz>
From: Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de>
Openpgp: preference=signencrypt
Message-ID: <7080a271-6244-13d3-04da-d00a32766de1@ruhr-uni-bochum.de>
Date: Sun, 01 Jul 2018 15:39:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <1530428015814.83795@cs.auckland.ac.nz>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/wJ8KbW-YlC-aVY_GMFE5loN7j_A>
Subject: Re: [openpgp] AEAD mode unverified chunks
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2018 13:39:26 -0000
On 07/01/2018 08:53 AM, Peter Gutmann wrote: > Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org> writes: > >> If a chunk can not be authenticated, implementations MUST discard the >> plaintext without further processing. Unauthenticated plaintext MUST not be >> output to other applications or the user. > > Unfortunately it's nowhere near as simple as that, in general, this is an > unsolveable problem. See: > > https://tools.ietf.org/html/rfc6476#section-6 > > for a discussion. Maybe the above wording was not clear. The plaintext in question refers to that of a single chunk. Here is another suggestion for a specific text: If a chunk can not be authenticated, implementations MUST discard the plaintext of that chunk without further processing, and stop processing the message with an error. Unauthenticated plaintext MUST NOT be output to other applications or the user. Truncated, authenticated plaintext MAY be output, if the truncation is reported as an error to the application or the user after the fact. In case of truncation, it is true that the (authenticated) beginning of the whole message might have been output to applications or users. That is strictly (and vastly) better than outputting tampered plaintext for any particular chunk. Truncated plaintext can still be detected and the error can be indicated after the fact. Aborting an ongoing operation is a failure case that application developers and users are familiar with. It happens all the time, for many reasons (for example, lack of disk space or out of memory conditions, or any number of simple bugs when processing the data). It is unsurprising, and it can be dealt with at the application and user side. Tampered plaintext can be dangerous in many surprising and compromising ways, as the EFAIL researchers have shown. It is not a failure case that users or application developers are familiar with. They should not have to deal with it. If an impossible problem is easily separable in a solvable problem that achieves 99% of the goals, and an impossible problem for the remaining 1%, that's a resounding success. Thanks, Marcus
- [openpgp] AEAD mode unverified chunks Marcus Brinkmann
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann
- Re: [openpgp] AEAD mode unverified chunks Benjamin Kaduk
- Re: [openpgp] AEAD mode unverified chunks Marcus Brinkmann
- Re: [openpgp] AEAD mode unverified chunks Marcus Brinkmann
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann
- Re: [openpgp] AEAD mode unverified chunks Werner Koch
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann