On Thu, March 14, 2019 9:47 am, Neal H. Walfield wrote:
AEAD catches not only these errors, but also providers ciphertext
integrity.
Are you arguing like Werner that catching transmission errors is
enough and that we shouldn't bother with ciphertext integrity?
I don't see how these two are mutually exclusive.
Each chunk can provide protection against both a transmission error and
ciphertext integrity (per chunk). A simple counter in the chunk header
can protect against splicing attacks, so an attacker could not remove a
middle chunk or otherwise swap chunk orders. So the only issue is
truncation, where an attacker prevents transmission at the end.
Obviously the receiver/verifier needs to know how to handle the case of a
failure at a chunk or truncation level. What that means, of course, is up
to the application.
But I don't see how using AEAD per chunk can do anything but help.
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp