Re: [openpgp] AEAD mode unverified chunks
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 02 July 2018 03:03 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EBC9130E3D for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 20:03:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3jSrWnWtcKd for <openpgp@ietfa.amsl.com>; Sun, 1 Jul 2018 20:03:27 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F77A130DEF for <openpgp@ietf.org>; Sun, 1 Jul 2018 20:03:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1530500607; x=1562036607; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=mcpsbD8P3JkdANK9POWkLHZnXGCMhxzU8xJbSpt+ihU=; b=jLH+/cSM0MXrqMruTPAlCRYWUu/24ogltkLpDt1sLec0GMay2BltpyPS 7R0g1KHVdFjZaBQLIJpHaDHMEqKHPwL4P2AqYoTiX6+7aRopE467MQU1j 5f8N3Evq7g2S2HG/M0aU79jveBD1yvmdZgU405rUcJ9aS38s4Pp5up1zl 7n0IK/xGPRPZwgfvjtutn5R7fD1vx5uXxux8i2ovm+4DbiNDU1L7MhrGr AGt6bp79EDJtnenovPFvZMvPz+l64EW6ZBvOjPLanIZ/jiBhFNt2wp6nm qu+M9+M41aLKf19ttFgNu6y4iwuUeJDW6+ENZg/QMmnEAaLJ7KkipSjP3 Q==;
X-IronPort-AV: E=Sophos;i="5.51,297,1526299200"; d="scan'208";a="19098502"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.9 - Outgoing - Outgoing
Received: from uxcn13-tdc-e.uoa.auckland.ac.nz ([10.6.3.9]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 02 Jul 2018 15:03:24 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-e.UoA.auckland.ac.nz (10.6.3.9) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 2 Jul 2018 15:03:23 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8%14]) with mapi id 15.00.1263.000; Mon, 2 Jul 2018 15:03:23 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org>, "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [openpgp] AEAD mode unverified chunks
Thread-Index: AQHUEIzhW94Nj+WvxkKsWz4Icn2RHaR571i4//+oI4CAAM2DEv//TQiAgAGPObo=
Date: Mon, 02 Jul 2018 03:03:22 +0000
Message-ID: <1530500589685.30228@cs.auckland.ac.nz>
References: <df7db7b9-b661-7534-1c34-fd63ae2876d9@ruhr-uni-bochum.de> <1530428015814.83795@cs.auckland.ac.nz> <7080a271-6244-13d3-04da-d00a32766de1@ruhr-uni-bochum.de> <1530453318943.37822@cs.auckland.ac.nz>, <8f10ae91-9656-4f6d-b41d-9a579b7eb283@ruhr-uni-bochum.de>
In-Reply-To: <8f10ae91-9656-4f6d-b41d-9a579b7eb283@ruhr-uni-bochum.de>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/yxjdte0E3bRmLmdOqBAiwYnWbxo>
Subject: Re: [openpgp] AEAD mode unverified chunks
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 03:03:30 -0000
Marcus Brinkmann <marcus.brinkmann=40ruhr-uni-bochum.de@dmarc.ietf.org> writes: >My reading is that the nonces for individual chunks are derived from the >message IV by XORing an index number. See the subsections on EAX and OCB that >follow. Sure, however if in the future someone adds another AEAD mode, and in particular the very fashionable (in fact I'm surprised it isn't already in there) but also very brittle GCM, then safe IV handling is criticial to security. It's just a personal preference, but I'd add a somewhat stronger warning to the text in 5.16 for per-chunk unique/random IVs and the consequences of not using them when some AEAD modes are used. Peter.
- [openpgp] AEAD mode unverified chunks Marcus Brinkmann
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann
- Re: [openpgp] AEAD mode unverified chunks Benjamin Kaduk
- Re: [openpgp] AEAD mode unverified chunks Marcus Brinkmann
- Re: [openpgp] AEAD mode unverified chunks Marcus Brinkmann
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann
- Re: [openpgp] AEAD mode unverified chunks Werner Koch
- Re: [openpgp] AEAD mode unverified chunks Peter Gutmann