ietf-openpgp
[Top] [All Lists]

Re: [openpgp] AEAD Chunk Size

2019-03-29 09:37:53
At Fri, 29 Mar 2019 13:43:35 +0000,
Peter Gutmann wrote:
Neal H. Walfield <neal(_at_)walfield(_dot_)org> writes:
But what is the cost?  I would say there is basically none.  So it makes no
sense to me to optimize for this case.  It's irrelevant.

There is a significant cost in terms of implementing, debugging, and interop-
testing every implementation that wants to do this.  If no-one cares about
auth protection of data at rest, and in the complete absence of real-world
data I'm going to claim no-one does because you can't prove otherwise, using
what we currently have has zero cost because it's already implemented.  Adding
blocked auth protection has a distinctly nonzero cost.

Ok.  Is your position that the working group should remove AEAD from
4880bis until there is an academic study proving people need it?

Efail occured.  Why is that not enough?

That was due to broken email apps.  If I can convince your email app to
forward the plaintext of a decrypted message to me, you lose no matter what
encryption mechanism you use.

Admittedly CBC/CFB made this easier, but it was the email apps that needed
fixing, not PGP.

I see it differently.  I would say it was a combination of the email
applications needing fixing and PGP needing fixing.

PGP encourages implementations to support streaming, and most do.
But, using 4880, this means that an application may see plaintext from
unauthenticated ciphertext.  Efail shows how that can be exploited by
***modifying the ciphertext*** (a PGP problem) to create a potential
exfiltration channel.  Using chunked AEAD correctly, this type of
attack is not possible: it is possible to stream, and only release
plaintext from authenticated ciphertext.

Now, applications could have protected themselves from this attack if
they had backed out the message on MDC failure.  But, they didn't.
And, I'd argue that a major reason that they didn't was because this
type of attack is not well understood by application developers.
Application developers understand truncation.  But, ciphertext
modification is something that most have probably never heard of.
Since we can protect application developers from ciphertext
modification, I would argue that not doing so is negligent.

So, if we are distributing blame, and I'd rather not play that game,
then I'd place 90% of the blame on the WG and the PGP implementations,
and only 10% on the mail application developers.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>