[openpgp] [PATCH] Add AEAD Encrypted Data Packet with EAX
"brian m. carlson" <sandals@crustytoothpaste.net> Sun, 21 May 2017 23:44 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D641C129AC7 for <openpgp@ietfa.amsl.com>; Sun, 21 May 2017 16:44:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.602
X-Spam-Level:
X-Spam-Status: No, score=-0.602 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNa5IPQUdG1I for <openpgp@ietfa.amsl.com>; Sun, 21 May 2017 16:44:30 -0700 (PDT)
Received: from castro.crustytoothpaste.net (castro.crustytoothpaste.net [75.10.60.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85E031294C4 for <openpgp@ietf.org>; Sun, 21 May 2017 16:44:30 -0700 (PDT)
Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id A5C5A280AD for <openpgp@ietf.org>; Sun, 21 May 2017 23:44:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1495410269; bh=QO/hGL1mSXCP4kkWtR2AvQIAwgoD6uTSgLuA79q2C0w=; h=From:To:Subject:Date:In-Reply-To:References:From; b=pFyXTwEKPHOZROrcDtom8mCihGqf1qHVlzdGsj7s0CI2kPu6ac5URQfY0LIxCcSjd kxQUIAB0nydttWes+x6SFnNhGcASDqWbGKpSMvB02vwhfxY2mqdrilUSOAUlg2HDXF 6jhh5itjqLa7X0/ss8Gb807g+JKXmSxDv4iW9b05aoixzh1icAUfV4pa8nqApWzqhc eH+ulgUj1zMcf+JvSYCiSEggDkf0DQxnorE/jDGJTB/z8LKPriOu3VQiy9VI1fs8OM iI4fbbTger7oj2knp6bIF4ctyu2ZSS/ZYh3eTf+S7fzyXiajMbUMZTuGLUpA0c6/Rt 77uOPXx8SoHaM9CcHU4+Dn4Fs0m1K7actOtcEWJE9lAWGp/ln3wXW8rODZTUKYYo5b MHtZmICOhJ5LpGcLSUmaKKREdYXqjIiMWZBniFE0UlqsZJJhIcpvgIn4EPrEatEr5F Wo7GN0RD7KjXUo2Yb3afuPPwan+a1Lth8y76EMddXcBoTB6Junj
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Date: Sun, 21 May 2017 23:44:21 +0000
Message-Id: <20170521234421.252088-1-sandals@crustytoothpaste.net>
X-Mailer: git-send-email 2.13.0.303.g4ebf302169
In-Reply-To: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net>
References: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/xfQnrxBSBCXU-djcF66mzYC81yY>
Subject: [openpgp] [PATCH] Add AEAD Encrypted Data Packet with EAX
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 May 2017 23:44:32 -0000
--- middle.mkd | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ template.xml | 11 ++++++++ 2 files changed, 97 insertions(+) diff --git a/middle.mkd b/middle.mkd index c2447d5..b240a5e 100644 --- a/middle.mkd +++ b/middle.mkd @@ -2550,6 +2550,78 @@ packet length. The reason for this is that the hashing rules for modification detection include a one-octet tag and one-octet length in the data hash. While this is a bit restrictive, it reduces complexity. +## {5.14} AEAD Encrypted Data Packet (Tag 18) + +This packet contains data encrypted with an authenticated encryption and +additional data (AEAD) construction. When it has been decrypted, it +will typically contain other packets (often a Literal Data packet or +Compressed Data packet). + +The body of this packet consists of: + + * A one-octet version number. The only currently defined value + is 1. + + * A one-octet cipher algorithm. + + * A one-octet AEAD algorithm. + + * A one-octet chunk size. + + * A starting initialization vector of size specified by the AEAD + algorithm. This value MUST be unique and it MUST be unpredictable. + + * Encrypted data, the output of the selected symmetric-key cipher + operating in the given AEAD mode. + + * A final, summary authentication tag for the AEAD mode. + +An AEAD encrypted data packet consists of one or more chunks of data. +The plaintext of each chunk is of a size specified using the chunk size +octet using the method specified below. + +The encrypted data consists of the encryption of each chunk of +plaintext, followed immediately by the relevant authentication tag. If +the last chunk of plaintext is smaller than the chunk size, the +ciphertext for that data may be shorter; it is nevertheless followed by +a full authentication tag. + +For each chunk, the AEAD construction is given the packet header, +version number, cipher algorithm octet, AEAD algorithm octet, chunk size +octet, and an eight-octet, big-endian chunk index as additional +data. The index of the first chunk is zero. + +After the final chunk, the AEAD algorithm is used to produce a final +authentication tag encrypting the empty string. This AEAD instance is +given the additional data specified above, plus an eight-octet, +big-endian values specifying the total number of plaintext octets +encrypted. This allows detection of a truncated ciphertext. + +The chunk size octet specifies the size of chunks using the following +formula (in C), where c is the chunk size octet: + + chunk_size = ((uint64_t)1 << (c + 6)) + +An implementation MUST support chunk size octets with values from 0 +to 10. An implementation MAY support other chunk sizes. Chunk size +octets with values larger than 127 are reserved for future extensions. + +A new random initialization vector MUST be used for each message. + +### {5.14.1} EAX Mode + +The only currently defined AEAD algorithm is EAX Mode +[](#EAX). This algorithm can only use block ciphers with 16-octet +blocks. The starting initialization vector and authentication tag are +both 16 octets long. + +The nonce for EAX mode is computed by treating the starting +initialization vector as a 16-octet, big-endian value and +exclusive-oring the low eight octets of it with the chunk index. + +The security of EAX requires that the nonce is never reused, hence the +requirement that the starting initialization vector be unique. + # {6} Radix-64 Conversions As stated in the introduction, OpenPGP's underlying native @@ -3087,6 +3159,16 @@ require the use of SHA-1 with the exception of computing version 4 key fingerprints and for purposes of the MDC packet. Implementations SHOULD NOT use MD5 or RIPE-MD/160. +## {9.5} AEAD Algorithms + + ID Algorithm + -------- --------- + 1 EAX [](#EAX) + 100--110 Private/Experimental algorithm + +Implementations MUST implement EAX. Implementations MAY implement +other algorithms. + # {10} IANA Considerations OpenPGP is highly parameterized, and consequently there are a number @@ -4485,6 +4567,10 @@ SHOULD be rejected. - Although technically possible, the EdDSA algorithm MUST NOT be used with a digest algorithms weaker than SHA2-256. + - Implementations should consider limiting chunk sizes for AEAD + algorithms to avoid denial-of-service attacks when decrypting + messages. + OpenPGP was designed with security in mind, with many smart, intelligent people spending a lot of time thinking about the diff --git a/template.xml b/template.xml index 68651ba..85782ce 100644 --- a/template.xml +++ b/template.xml @@ -91,6 +91,17 @@ <date></date> </front> </reference> + + <reference anchor='EAX'> + <front> + <title>A Conventional Authenticated-Encryption Mode</title> + <author surname="Bellare" initials="M." /> + <author surname="Rogaway" initials="P." /> + <author surname="Wagner" initials="D." /> + <date year="2003" month="April" /> + </front> + </reference> + <reference anchor='ELGAMAL'> <front> <title>A Public-Key Cryptosystem and a -- 2.13.0.303.g4ebf302169
- [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH] Add AEAD Encrypted Data Packet … brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch
- [openpgp] [PATCH 1/3] Add AEAD Encrypted Data Pac… brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX brian m. carlson
- [openpgp] [PATCH 3/3] Add AEAD mode for Secret Ke… brian m. carlson
- [openpgp] [PATCH 2/3] Define AEAD mode for SKESK … brian m. carlson
- Re: [openpgp] [PATCH 1/3] Add AEAD Encrypted Data… brian m. carlson
- Re: [openpgp] AEAD encrypted data packet with EAX Werner Koch