ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] v5 Secret-Key Packet Formats

2018-01-12 18:38:45
from [brian m. carlson] [Permanent Link] 
On Fri, Jan 12, 2018 at 05:22:45PM +0100, Werner Koch wrote:

On Fri, 12 Jan 2018 16:22, tom(_at_)ritter(_dot_)vg said:


Would this be adding a new mode that would have to be implemented?
That is in addition to adding chunked AEAD we're now also adding
non-chunked AEAD?


No.  Like the current CFB mode, AEAD will be used at 3 places:

 1. Bulk data encryption

 2. Encryption used by the secret-key session key packet (which makes it
    possible to encrypt to several passphrases)

 3. Encryption of the secret key.

My claim is that the chunked mode is only used for 1.  For 2 and 3 we
can avoid any chunked mode and thus do not need to assume a certain
chunk size.

Sure, we could also keep on using CFB for 2 and 3 but that would require
a minimalist implementation to implement CFB and AEAD(EAX).


I don't have a strong preference between non-chunked or chunked,
although I do quite want to avoid relying on CFB for the future.

I wrote it the way I did for a couple of reasons:

* We have various uses of CFB throughout the document, some using an
  all-zero IV and random prefix and some using a real IV.  I wanted to
  provide one consistent technique for encrypting to reduce complexity.
* The chunk size was large enough to cover most current keys, and it
  could be arbitrarily extended (using multiple chunks) to any future
  keys.
* The chunk size was small enough to be practical for low-resource
  devices without having to release ciphertext before tag verification,
  even if we have large keys.  (I know the non-chunked nature of the MDC
  packet has had DoS implications in GnuPG in the past.)
* The extra block at the end is required to avoid truncation attacks in
  chunked mode, and the cost of 16 bytes in the secret key packets
  didn't seem like a huge cost given the other constraints.

This is just a rationale, and if implementers or other folks think a
non-chunked approach for key material is better, I'm happy to go along.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] v5 Secret-Key Packet Formats, Werner Koch
Next by Date:  Re: [openpgp] v5 Secret-Key Packet Formats, Werner Koch
Previous by Thread:  Re: [openpgp] v5 Secret-Key Packet Formats, Werner Koch
Next by Thread:  Re: [openpgp] v5 Secret-Key Packet Formats, Werner Koch
Indexes:  [Date] [Thread] [Top] [All Lists]