Am 01.03.19 um 15:50 schrieb Werner Koch:
Consequently, I propose not only imposing a reasonable ceiling on the
chunk size that even small embedded devices with a cortex M0 could
handle, but to simply fix the parameter to 16 KiB. It's not clear to
Without sufficient storage a smaller chunk size does not help you in any
way. You can still run a truncation attack and by that time the
preceding chunks have already been processed in some way because, well,
there was no way to store the entire message. Without the final chunk
you have an incomplete and thus unauthenticated message because the
sender authenticated the entire message and not certain parts of it.
Chosen ciphertext attacks and truncation attacks are two different
attack classes, with different assumptions on the plaintext format and
the necessary attacker capabilities.
Neal's proposal to mandate a small and fixed chunk size can solve
ciphertext malleability for future OpenPGP applications. Waving this
proposal off, just because it won't also solve truncation attacks, does
not make sense.
Best
Sebastian
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp