ietf-openpgp
[Top] [All Lists]

Re: [openpgp] AEAD Chunk Size

2019-03-19 03:32:29
On Tue, 19 Mar 2019 08:30:22 +0100,
Werner Koch wrote:
On Mon, 18 Mar 2019 14:11, frantz(_at_)pwpconsult(_dot_)com said:

To protect against truncation attacks you can borrow an idea from the
database people and not commit your changes until you have a complete
message.

Right.  And you need to do that anyway because authenticated encryption
doesn't tell you anything about the origin of the message and thus you
need to check the signature of the message after it has been completely
decrypted (at least with OpenPGP and CMS).  Anyone can send malicious
content and AE doesn't protect against processsing such content.

I agree with you that AEAD + signed chunks is even better.  But,
streaming AEAD still provides a significant improvement relative to
the status quo: it protects against EFAIL-style exfiltration attacks.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>