Hi Werner,
On Mon, 18 Mar 2019 07:50:22 +0100,
Werner Koch wrote:
On Fri, 15 Mar 2019 12:48, neal(_at_)walfield(_dot_)org said:
Are you arguing like Werner that catching transmission errors is
enough and that we shouldn't bother with ciphertext integrity?
I never said this.
I was referring to this:
On Fri, 01 Mar 2019 15:50:15 +0100,
Werner Koch wrote:
> Let me repeat it again: The chunking was introduced for just one
> purpose: To be able to detect rare transmission errors earlier than at
> the end of the message.
Sorry, can you please explain how you can read out of this that I
said: "we shouldn't bother with ciphertext integrity".
I'm extremely happy to hear that I've misunderstood your position, and
that our goals are actually aligned.
Can you please explain how to get ciphertext integrity when streaming?
To be clear: for me, truncation is an orthogonal issue; my primary
concern is how to ensure that no implementations ever release
plaintext derived from modified ciphertext.
If you think that the current proposal achieves this, I've presented a
few critiques in <87mum6ekbd(_dot_)wl-neal(_at_)walfield(_dot_)org>
(https://mailarchive.ietf.org/arch/msg/openpgp/WvaisWDd9WzoKXL1FyHDeZNtZ2U):
1. If messages can't be decrypted, because a chunk won't fit in
memory, but unauthenticated streaming would otherwise "work,"
implementors will do the latter, because security must not get in
the way of a user getting her job done.
2. If unauthenticated streaming is allowed or tacitly encouraged, it
will be done first, because the set of messages that
unauthenticated streaming can decrypt is a superset of those that
authenticated decryption can handle, and it will perhaps be done
exclusively because introducing a second code path that, modulo
security concerns, is functionally equivalent to the code path
for unauthenticated streaming is extra work, and extra
complexity, which developers will try to avoid.
3. If implementations revert to unauthenticated streaming for large
chunk sizes, an attacker can conduct an EFAIL-style attack by
changing the chunk size.
Thanks!
:) Neal
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp