IETF Logo Mail Archive

Re: [TLS] Comments on

nisse@lysator.liu.se (Niels Möller ) Fri, 14 February 2014 20:50 UTC

Return-Path: <nisse@lysator.liu.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FC3B1A03E0 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 12:50:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id szTqf_0uG2kR for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 12:50:00 -0800 (PST)
Received: from bacon.lysator.liu.se (bacon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::ce]) by ietfa.amsl.com (Postfix) with ESMTP id EC0571A03E1 for <tls@ietf.org>; Fri, 14 Feb 2014 12:49:38 -0800 (PST)
Received: from bacon.lysator.liu.se (localhost [127.0.0.1]) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5) with ESMTP id s1EKnOpA010608; Fri, 14 Feb 2014 21:49:24 +0100 (MET)
Received: (from nisse@localhost) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5/Submit) id s1EKnLh8010607; Fri, 14 Feb 2014 21:49:21 +0100 (MET)
X-Authentication-Warning: bacon.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f
From: nisse@lysator.liu.se
To: Adam Langley <agl@google.com>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> <nna9dum6fk.fsf@bacon.lysator.liu.se> <CAL9PXLyC98rc73x7o4gDeu-UBz1k0VP_qTdbCqgSSObuKf9+LA@mail.gmail.com> <nnsirlldyf.fsf@bacon.lysator.liu.se> <CAL9PXLzgHqguYfKwhiVyjDeSCUkqwbsoujAcz8UPN0FQyfaodg@mail.gmail.com>
Date: Fri, 14 Feb 2014 21:49:21 +0100
In-Reply-To: <CAL9PXLzgHqguYfKwhiVyjDeSCUkqwbsoujAcz8UPN0FQyfaodg@mail.gmail.com> (Adam Langley's message of "Fri, 14 Feb 2014 14:49:38 -0500")
Message-ID: <nnob29l8ry.fsf@bacon.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (usg-unix-v)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4wpEOLqgBa6kqPqPtg36h-xxpFU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 20:50:09 -0000

Adam Langley <agl@google.com> writes:

> I disagree here and this seems to contradict your statement above that
> decryption in a pipeline is a "dangerous habit". Wouldn't your
> streaming/incremental API return unauthenticated plaintext to the
> caller and thus encourage just this habit?

The proper way is to process the file incrementally (with bounded RAM),
write the result to a temporary file on disk (preferably hidden, if
supported by the OS). At the end of data, check authentication, and
either rename the file and advertise it, or delete it and return a
failure exit code.

And I think this is the right way to do it no matter of you use plain
AEAD or some "AEAD chunking format" (more on truncation below).

> So I think that what you want is an "AEAD chunking format" which is a
> higher level concept than an AEAD and that our disagreement arises
> from merging what I see as two different layers.

Under the assumption that processing of a truncated version or "prefix"
of the authenticated file is somehow safe, an AEAD chunking format has
an advantage over plain AEAD, in that it can provide prefixes of the
authenticated file early.

But in the case that you really want proper authentication of the
*complete* file before you start processing it, I think an AEAD chunking
format is additional complexity with no benefit over plain AEAD, since
plain AEAD provides exactly the type of autentication needed.

I'd prefer not assume that prefixes are safe. I don't have any very
concrete example, but I think that in general handling a truncated file
should be considered dangerous. As one example, I think pdf files have
some kind of master index at the end, and also some possibility to edit
earlier contents by appending data and a new index at the end (intended
for adding notes on top of a signed pdf, iirc).

> (*) by one-shot I mean that it does the whole operation in one call. I.e.:
>
> ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
>                          unsigned char *out, size_t max_out_len,
>                          const unsigned char *nonce, size_t nonce_len,
>                          const unsigned char *in, size_t in_len,
>                          const unsigned char *ad, size_t ad_len);

I intend to provide an interface like that in the Nettle library; the
streaming/incremental interface will not be the only one. And I expect
that the one-shot functions will be the right choice for most
applications.

But since the one-shot functions will be implemented on top of the
lower-level incremental interface I described earlier, any additional
complexity there is relevant also for applications exlusively using the
one-shot interface.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

v2.23.0 | Report a Bug | By Email