Hi,
On Fri, 2019-03-15 at 12:40 +0100, Neal H. Walfield wrote:
I'm currently convinced that streaming authenticated plaintext is only
possible if we use small chunk sizes. If we allow large chunk sizes
(e.g., 4 exabytes, which is what the current draft allows), then there
will be cases where an implementation can stream unauthenticated
plaintext, but not authenticated data, and, because it can, it will.
And this is even though pretty much everyone including the IETF (see
RFC 5116 [1]) agrees that AEAD must only emit authenticated plaintext.
[1] https://tools.ietf.org/html/rfc5116#section-2.2
Maybe we're hitting a terminology issue here.
For me, a plaintext is authenticated if the whole ciphertext could be
successfully authenticated. Which seems to be very well in line with the
definition you've linked to.
Now, if you modify a (long) ciphertext that has been broken into chunks
near the end and a decryption routine reveals the first parts of the
decrypted ciphertext, would you agree that revealing those parts of the
plaintext does not meet the definition that you've linked to?
And do you further agree that you would need to find a way to prevent
any plaintext to be revealed unless the full message has been
authenticated correctly in order to match the definition that you've
mentioned?
Cheers,
Tobi
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp