Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?

Bryan Ford <> Fri, 26 February 2016 13:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 45BB61A1BA7 for <>; Fri, 26 Feb 2016 05:51:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id md62txMLY9fx for <>; Fri, 26 Feb 2016 05:51:40 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 585171A1BA4 for <>; Fri, 26 Feb 2016 05:51:40 -0800 (PST)
Received: by with SMTP id x1so31776917qkc.1 for <>; Fri, 26 Feb 2016 05:51:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=ADrf2eiLCxCBgCYsZHewUm8nsGniED9tEGAKc3SWjwE=; b=l2rqQp2qqJ39fSdpBHjA7iycsWB3iuLTztdLg4bepne7zcxzds6Ymc99dTT5vAnOQc szcpVMIzL7R5aowbMSeFL4iA7QPrt+a7wEJ6P1nY1tj79aPs/50lRR3hBV5mqBOV/GoO Jje8cb+x4reLFQOrviXH2ZOzr2fUTFr4Df3GZyjbTBvuVlgfZuclv8KaBAdCnX/lR9vD RilJpBTo2cOusBssNq0328rYmdCDUHxrfXdiNU3y7x0Nl/rJ1TQMRLWTyYqCfYpiFZXf ILRWjl1r/FSwIDTL15J/MvlOf08wq1slmZqLqEM0U3iDdouBDzkCHcbtM55S9l5Nflxa yGMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=ADrf2eiLCxCBgCYsZHewUm8nsGniED9tEGAKc3SWjwE=; b=hTDEf7XRO763FWLSwBmaDcVBwbYb4PjqK4KObUftLhotdsh+HFA4vGzhb6lwMoGrIg Hlu1DUYmhqnEC2lEQB9ly+eqkcL9+0BJ7JOtTBeKS/W9loHQovLySNNw7x+rzxhEJU2O Op4NLeM4Z6PgCmp2zAFMAN/sGprCm17uAk+GV4skCWGtIEwhX4R74DTf0zH5Y9YLiZrp YlIkSkdQgAYBkQCZgIrFnYm4UynKX0wUVjfiMloWDIlPXLYtq3u33sCmhs3VBOPe9G6g VcH3ppFBJiotSYjFeDrDIuriKgcPX3fyMkWJQHHfdpI7aCPNRUCp0R3f2S+e8xELgrnO SeTw==
X-Gm-Message-State: AD7BkJI9Qi7vQURwOILcVRE7cqAqYGmgmS/3cMEmxxVb4WICrJdN7afiTovqSZ6iChYROg==
X-Received: by with SMTP id g82mr1942470qkb.107.1456494699534; Fri, 26 Feb 2016 05:51:39 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id n35sm5350663qgn.10.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 26 Feb 2016 05:51:38 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_18834A69-CACF-4138-9C5B-770A3B0B9E08"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Bryan Ford <>
In-Reply-To: <>
Date: Fri, 26 Feb 2016 08:51:47 -0500
Message-Id: <>
References: <> <> <> <> <>
To: Nils Durner <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Subject: Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Feb 2016 13:51:42 -0000

P.S. Wherever ‘reputable’ appears in the message below that should have said ‘repudiable’.  Thanks Apple for spelling auto-corrections that completely obliterate the technical meaning of sentences… :(

On Feb 23, 2016, at 12:36 PM, Bryan Ford <> wrote:
> On Feb 10, 2016, at 1:52 PM, Nils Durner < <>> wrote:
>> Hi,
>>> To be clear, there are two separate use-cases, each of which make
>>> sense without the other and require different technical solutions (but
>>> could also make sense together):
>>> 1. Streaming-mode integrity protection:
>>> [...]
>>> To achieve goal #1 properly, it appears that what we need is not only
>>> a MAC per chunk but a signature per chunk.
>> Different ideas:
>> 1. asymmetrically encrypt and sign the MAC key, make this a new packet
>>   type to be prepended to the symmetrically encrypted data
> By this, do you mean just write one asymmetrically encrypted-and-signed MAC key at the beginning of the stream, followed by a bunch of records that are only MAC-authenticated with that symmetric key?  
> This would appear insecure to me, at least in the case the stream is encrypted to two or more recipients.  Say Alice signs-and-encrypts a stream to Bob and Charlie.  Bob takes Alice’s encrypted-and-signed MAC key record, then uses the same MAC key to construct a completely different stream of actual content (all of whose MAC records verify just fine) and sends it to Charlie, claiming that it’s from Alice.
> Maybe this is only a problem in the two-or-more-receivers case, but even if so it makes me nervous.  If PGP had a reputable, non-signing sender-authentication mode for 2-party communication only, then it might make sense for an asymmetric “repudiable authentication record” to be followed by a stream of MAC-authenticated records. But that seems like a fairly different protocol (or at least a fairly different mode).
>> 2. derive the MAC key from the symmetric encryption key, sign it (but
>>   do not store it) and make this a new packet type to be prepended
>>   (thus saving the asymmetric encryption from #1)
>> 3. use an authenticating sym cipher mode with intermediate
>>   authentication tags, with the symmetric key asymmetrically signed
>>   (like #2)
> Assuming I’m correctly understanding that in cases #2 and #3 also just have one asymmetric record at the beginning of the stream, it seems like the same considerations apply as with #1.  Perhaps OK for 2-party repudiable authentication, but not if we need to retain the signed-message semantics that PGP currently provides especially in the multiple-receiver case.
> Cheers
> Bryan