ietf-openpgp
[Top] [All Lists]

Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?

2015-11-01 09:52:10
Den 30 okt 2015 13:30 skrev "Watson Ladd" <watsonbladd(_at_)gmail(_dot_)com>:
 On Oct 30, 2015 8:25 AM, "Natanael" <natanael(_dot_)l(_at_)gmail(_dot_)com> 
wrote:
[...]
Use authenticated encryption so no signatures are required. Detached
signature verification is used for large public messages already: no
streaming needed.

I'm not sure if we read the requirements differently. He asked for
immutable signed files, as in that an AEAD authentication key is
insufficient because the other recipients all have the same key and can
substitute the ciphertext. There's an explicit requirement that the
capabilities of the sender and (potentially multiple) receivers are
different.

Yes, the signature would fail if combining standard AEAD with a full
ciphertext signature and one receiver modified the ciphertext, but see the
reasoning for why it is necessary again - by the time the failure is
detected, the software that's performing the streaming decryption and
processing may already have taken some undesired action, or might fail to
cancel a future undesired action (by not deleting the resulting plaintext).
Preemptively preventing mistakes done by the client software.

It isn't just AEAD, it is seekable streaming AEAD with per-block
verification of immutability. Allowing you to look up any block
individually and confirm *that block* hasn't been modified by anybody but
the original sender.

Imagine for example an encrypted video or a large archive of files being
sent to multiple receivers. With AES-GCM and a signature at the end, you
either decrypt and verify everything before viewing or you decrypt just one
part and accept that another one of the receivers may have tampered with
your copy of the video/files (if it for example is stored on a NAS).

Or worse, the software parsing the plaintext might have an exploitable bug,
which may then already have been exploited when the signature verification
fails, so that even if the decryption software rolls back everything it did
then you now have malware on your system anyway.

The other option is of course the sender creating multiple ciphertexts with
separate keys for every recipient. Very much not ideal for large files.

To solve B what you need to do is something like signing a list of
ciphertext hashes/authentication tags.

The idea below demands conditions beyond MAC security.

Feel free to explain what conditions those are. I'll happily admit I'm just
a cryptography novice, I'm willing to learn why this might be flawed or
insufficient.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp