Marcus Brinkmann
<marcus.brinkmann=40ruhr-uni-bochum(_dot_)de(_at_)dmarc(_dot_)ietf(_dot_)org>
writes:
If a chunk can not be authenticated, implementations MUST discard the
plaintext of that chunk without further processing
But that then requires the artificial chunk-size restriction you mentioned in
an earlier message, which also means you'll start expanding messages if you
have to break them up into smallish chunks with IVs and MACs and whatnot in
each chunk...
Hmmm, and a comment on the text:
"A new random initialization vector MUST be used for each message".
That should be "for each chunk", along with a strong warning about the fact
that you'll get a catastrophic failure of security if you don't do this and
use a highly brittle AEAD mode like GCM. That is, this isn't just some nice
thing to do like the usual comment about using fresh IVs, you'll get a
catastrophic security failure if you don't, far more so than with any other
encryption mode that uses IVs.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp