[openpgp] [PATCH] Add AEAD Encrypted Data Packet with EAX
"brian m. carlson" <sandals@crustytoothpaste.net> Sun, 21 May 2017 23:44 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D641C129AC7 for <openpgp@ietfa.amsl.com>; Sun, 21 May 2017 16:44:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.602
X-Spam-Level:
X-Spam-Status: No, score=-0.602 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNa5IPQUdG1I for <openpgp@ietfa.amsl.com>; Sun, 21 May 2017 16:44:30 -0700 (PDT)
Received: from castro.crustytoothpaste.net (castro.crustytoothpaste.net [75.10.60.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85E031294C4 for <openpgp@ietf.org>; Sun, 21 May 2017 16:44:30 -0700 (PDT)
Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id A5C5A280AD for <openpgp@ietf.org>; Sun, 21 May 2017 23:44:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1495410269; bh=QO/hGL1mSXCP4kkWtR2AvQIAwgoD6uTSgLuA79q2C0w=; h=From:To:Subject:Date:In-Reply-To:References:From; b=pFyXTwEKPHOZROrcDtom8mCihGqf1qHVlzdGsj7s0CI2kPu6ac5URQfY0LIxCcSjd kxQUIAB0nydttWes+x6SFnNhGcASDqWbGKpSMvB02vwhfxY2mqdrilUSOAUlg2HDXF 6jhh5itjqLa7X0/ss8Gb807g+JKXmSxDv4iW9b05aoixzh1icAUfV4pa8nqApWzqhc eH+ulgUj1zMcf+JvSYCiSEggDkf0DQxnorE/jDGJTB/z8LKPriOu3VQiy9VI1fs8OM iI4fbbTger7oj2knp6bIF4ctyu2ZSS/ZYh3eTf+S7fzyXiajMbUMZTuGLUpA0c6/Rt 77uOPXx8SoHaM9CcHU4+Dn4Fs0m1K7actOtcEWJE9lAWGp/ln3wXW8rODZTUKYYo5b MHtZmICOhJ5LpGcLSUmaKKREdYXqjIiMWZBniFE0UlqsZJJhIcpvgIn4EPrEatEr5F Wo7GN0RD7KjXUo2Yb3afuPPwan+a1Lth8y76EMddXcBoTB6Junj
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Date: Sun, 21 May 2017 23:44:21 +0000
Message-Id: <20170521234421.252088-1-sandals@crustytoothpaste.net>
X-Mailer: git-send-email 2.13.0.303.g4ebf302169
In-Reply-To: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net>
References: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/xfQnrxBSBCXU-djcF66mzYC81yY>
Subject: [openpgp] [PATCH] Add AEAD Encrypted Data Packet with EAX
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 May 2017 23:44:32 -0000
---
middle.mkd | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
template.xml | 11 ++++++++
2 files changed, 97 insertions(+)
diff --git a/middle.mkd b/middle.mkd
index c2447d5..b240a5e 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -2550,6 +2550,78 @@ packet length. The reason for this is that the hashing rules for
modification detection include a one-octet tag and one-octet length in
the data hash. While this is a bit restrictive, it reduces complexity.
+## {5.14} AEAD Encrypted Data Packet (Tag 18)
+
+This packet contains data encrypted with an authenticated encryption and
+additional data (AEAD) construction. When it has been decrypted, it
+will typically contain other packets (often a Literal Data packet or
+Compressed Data packet).
+
+The body of this packet consists of:
+
+ * A one-octet version number. The only currently defined value
+ is 1.
+
+ * A one-octet cipher algorithm.
+
+ * A one-octet AEAD algorithm.
+
+ * A one-octet chunk size.
+
+ * A starting initialization vector of size specified by the AEAD
+ algorithm. This value MUST be unique and it MUST be unpredictable.
+
+ * Encrypted data, the output of the selected symmetric-key cipher
+ operating in the given AEAD mode.
+
+ * A final, summary authentication tag for the AEAD mode.
+
+An AEAD encrypted data packet consists of one or more chunks of data.
+The plaintext of each chunk is of a size specified using the chunk size
+octet using the method specified below.
+
+The encrypted data consists of the encryption of each chunk of
+plaintext, followed immediately by the relevant authentication tag. If
+the last chunk of plaintext is smaller than the chunk size, the
+ciphertext for that data may be shorter; it is nevertheless followed by
+a full authentication tag.
+
+For each chunk, the AEAD construction is given the packet header,
+version number, cipher algorithm octet, AEAD algorithm octet, chunk size
+octet, and an eight-octet, big-endian chunk index as additional
+data. The index of the first chunk is zero.
+
+After the final chunk, the AEAD algorithm is used to produce a final
+authentication tag encrypting the empty string. This AEAD instance is
+given the additional data specified above, plus an eight-octet,
+big-endian values specifying the total number of plaintext octets
+encrypted. This allows detection of a truncated ciphertext.
+
+The chunk size octet specifies the size of chunks using the following
+formula (in C), where c is the chunk size octet:
+
+ chunk_size = ((uint64_t)1 << (c + 6))
+
+An implementation MUST support chunk size octets with values from 0
+to 10. An implementation MAY support other chunk sizes. Chunk size
+octets with values larger than 127 are reserved for future extensions.
+
+A new random initialization vector MUST be used for each message.
+
+### {5.14.1} EAX Mode
+
+The only currently defined AEAD algorithm is EAX Mode
+[](#EAX). This algorithm can only use block ciphers with 16-octet
+blocks. The starting initialization vector and authentication tag are
+both 16 octets long.
+
+The nonce for EAX mode is computed by treating the starting
+initialization vector as a 16-octet, big-endian value and
+exclusive-oring the low eight octets of it with the chunk index.
+
+The security of EAX requires that the nonce is never reused, hence the
+requirement that the starting initialization vector be unique.
+
# {6} Radix-64 Conversions
As stated in the introduction, OpenPGP's underlying native
@@ -3087,6 +3159,16 @@ require the use of SHA-1 with the exception of computing version 4 key
fingerprints and for purposes of the MDC packet. Implementations
SHOULD NOT use MD5 or RIPE-MD/160.
+## {9.5} AEAD Algorithms
+
+ ID Algorithm
+ -------- ---------
+ 1 EAX [](#EAX)
+ 100--110 Private/Experimental algorithm
+
+Implementations MUST implement EAX. Implementations MAY implement
+other algorithms.
+
# {10} IANA Considerations
OpenPGP is highly parameterized, and consequently there are a number
@@ -4485,6 +4567,10 @@ SHOULD be rejected.
- Although technically possible, the EdDSA algorithm MUST NOT be
used with a digest algorithms weaker than SHA2-256.
+ - Implementations should consider limiting chunk sizes for AEAD
+ algorithms to avoid denial-of-service attacks when decrypting
+ messages.
+
OpenPGP was designed with security in mind, with many smart,
intelligent people spending a lot of time thinking about the
diff --git a/template.xml b/template.xml
index 68651ba..85782ce 100644
--- a/template.xml
+++ b/template.xml
@@ -91,6 +91,17 @@
<date></date>
</front>
</reference>
+
+ <reference anchor='EAX'>
+ <front>
+ <title>A Conventional Authenticated-Encryption Mode</title>
+ <author surname="Bellare" initials="M." />
+ <author surname="Rogaway" initials="P." />
+ <author surname="Wagner" initials="D." />
+ <date year="2003" month="April" />
+ </front>
+ </reference>
+
<reference anchor='ELGAMAL'>
<front>
<title>A Public-Key Cryptosystem and a
--
2.13.0.303.g4ebf302169
- [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH] Add AEAD Encrypted Data Packet … brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- [openpgp] [PATCH 1/3] Add AEAD Encrypted Data Pac… brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH 3/3] Add AEAD mode for Secret Ke… brian m. carlson
- [openpgp] [PATCH 2/3] Define AEAD mode for SKESK … brian m. carlson
- Re: [openpgp] [PATCH 1/3] Add AEAD Encrypted Data… brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch