On Mar 27, 2019, at 8:50 AM, Derek Atkins <derek(_at_)ihtfp(_dot_)com> wrote:
In my mind, each chunk is its own AEAD ciphertext. So the chunking is
happening *during* AEAD encryption, and not after encryption. I.e., the
chunking and AEAD encryption should be tied together such that the chunk
header is part of the AEAD protection and the chunk data is the AEAD
encrypted data.
This approach does, IMHO, map directly into the RFC definition.
This is exactly what I presumed would be done — each chunk is an AEAD segment.
I presumed that one would probably put a chunk number as Additional Data, and
that the nonce context would carry over from one chunk to the next in some
reasonable way.
That’s directly analogous to the present chunking mechanism, which uses CFB as
a stream.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp