ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] AEAD Chunk Size

2019-03-20 08:24:50
from [Derek Atkins] [Permanent Link] 
Hi,

"Neal H. Walfield" <neal(_at_)walfield(_dot_)org> writes:


Hi Derek,

Thanks for your analysis.  I think the AEAD chunking algorithm is
sound, if it is used correctly.

My issue is that I don't think it is possible to use the chunking
algorithm correctly for large chunk sizes.  For instance, what should
an implementation do if it encounters a chunk size of 16 TB (and there
really can be >16 TB of data using a small decompression bomb)?
Should it be allowed to emit unauthenticated plaintext?


Aha, and we have come around full circle again.

The chunk size needs to be small enough that the receiver can process
it.  If it's too big, then it cannot be processed and the receiver
either must buffer it or will decide to release the plaintext prior to
the chunk being completed.

[snip]

So, my conclusion is, we must prohibit implementations from emitting
unauthenticated plaintext *and* remove any incentives to do so.  For
me, this means a small, fixed chunk size.


There is no way to prohibit the implementation from emitting
unauthenticated plaintext.  Implementations will do what they want/need
to do.

I still don't think we need a fixed chunk size.  Different use cases may
dictate different ideas.  It's a tradeoff, of course.  The hope would be
the receiver can signal to the sender what it should do.

I DO believe that recommended chunk sizes should be smaller than, say
4TB (let alone exabytes).  I am happy to have the range be anywhere from
1KB to 128MB (give or take), but I still don't think we should outright
prohibit smaller or larger.  Considering the chunk size should be part
of the protected data, I don't see how an attacker could modify it, only
a sender that doesn't pay attention.

Specifically, if the sender and receiver have some out-of-band knowledge
about each other I still think it's perfectly reasonable for them to
make their own choices.


Does this clarify my concerns?


I think so, and we ARE on the same page, I think.


Thanks!

:) Neal


-derek
-- 
       Derek Atkins                 617-623-3745
       derek(_at_)ihtfp(_dot_)com             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Deprecating compression support, Andre Heinecke
Next by Date:  [openpgp] v5 sample key, Werner Koch
Previous by Thread:  Re: [openpgp] AEAD Chunk Size, Nickolay Olshevsky
Next by Thread:  Re: [openpgp] AEAD Chunk Size, Neal H. Walfield
Indexes:  [Date] [Thread] [Top] [All Lists]