ietf-openpgp
[Top] [All Lists]

Re: [openpgp] AEAD Chunk Size

2019-03-18 03:24:35
Hi Werner,

On Mon, 18 Mar 2019 07:50:22 +0100,
Werner Koch wrote:
On Fri, 15 Mar 2019 12:48, neal(_at_)walfield(_dot_)org said:
Are you arguing like Werner that catching transmission errors is
enough and that we shouldn't bother with ciphertext integrity?

I never said this.

I was referring to this:

  On Fri, 01 Mar 2019 15:50:15 +0100,
  Werner Koch wrote:
  > Let me repeat it again: The chunking was introduced for just one
  > purpose: To be able to detect rare transmission errors earlier than at
  > the end of the message.

Sorry, can you please explain how you can read out of this that I 
said: "we shouldn't bother with ciphertext integrity".

I'm extremely happy to hear that I've misunderstood your position, and
that our goals are actually aligned.

Can you please explain how to get ciphertext integrity when streaming?

To be clear: for me, truncation is an orthogonal issue; my primary
concern is how to ensure that no implementations ever release
plaintext derived from modified ciphertext.

If you think that the current proposal achieves this, I've presented a
few critiques in <87mum6ekbd(_dot_)wl-neal(_at_)walfield(_dot_)org>
(https://mailarchive.ietf.org/arch/msg/openpgp/WvaisWDd9WzoKXL1FyHDeZNtZ2U):

  1. If messages can't be decrypted, because a chunk won't fit in
     memory, but unauthenticated streaming would otherwise "work,"
     implementors will do the latter, because security must not get in
     the way of a user getting her job done.

  2. If unauthenticated streaming is allowed or tacitly encouraged, it
     will be done first, because the set of messages that
     unauthenticated streaming can decrypt is a superset of those that
     authenticated decryption can handle, and it will perhaps be done
     exclusively because introducing a second code path that, modulo
     security concerns, is functionally equivalent to the code path
     for unauthenticated streaming is extra work, and extra
     complexity, which developers will try to avoid.

  3. If implementations revert to unauthenticated streaming for large
     chunk sizes, an attacker can conduct an EFAIL-style attack by
     changing the chunk size.

Thanks!

:) Neal

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>