Hi,
On Wed, 2019-03-13 at 07:32 +0100, Sebastian Schinzel wrote:
Without sufficient storage a smaller chunk size does not help you in
any
way. You can still run a truncation attack and by that time the
preceding chunks have already been processed in some way because,
well,
there was no way to store the entire message. Without the final
chunk
you have an incomplete and thus unauthenticated message because the
sender authenticated the entire message and not certain parts of it.
Chosen ciphertext attacks and truncation attacks are two different
attack classes, with different assumptions on the plaintext format and
the necessary attacker capabilities.
Neal's proposal to mandate a small and fixed chunk size can solve
ciphertext malleability for future OpenPGP applications. Waving this
proposal off, just because it won't also solve truncation attacks,
does not make sense.
I don't understand why you bring up malleability.
As far as I understand Werner, he is concerned with the proposal still
forcing clients to buffer the whole message if the implementation wants
to release authenticated data only. Which is how AE is defined. So
fixing any chunk size does not work. But I may stand corrected.
Cheers,
Tobi
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp