ietf-openpgp
[Top] [All Lists]

Re: [openpgp] AEAD Chunk Size

2019-03-29 15:49:20


On Mar 29, 2019, at 7:37 AM, Neal H. Walfield <neal(_at_)walfield(_dot_)org> 
wrote:


Ok.  Is your position that the working group should remove AEAD from
4880bis until there is an academic study proving people need it?

I think that if Peter wanted to remove AEAD, he’d just say that.

But no, the whole reason he and I and others are debating is that we think that 
AEAD in OpenPGP is a Good Idea.


Efail occured.  Why is that not enough?

That was due to broken email apps.  If I can convince your email app to
forward the plaintext of a decrypted message to me, you lose no matter what
encryption mechanism you use.

Admittedly CBC/CFB made this easier, but it was the email apps that needed
fixing, not PGP.

I see it differently.  I would say it was a combination of the email
applications needing fixing and PGP needing fixing.

Before I go further, it’s OpenPGP. This working group is OpenPGP.

PGP is a software product owned by Symantec. It implements OpenPGP, as well as 
S/MIME, X.509, and a whole lot of other things.


PGP encourages implementations to support streaming, and most do.
But, using 4880, this means that an application may see plaintext from
unauthenticated ciphertext.  Efail shows how that can be exploited by
***modifying the ciphertext*** (a PGP problem) to create a potential
exfiltration channel.  Using chunked AEAD correctly, this type of
attack is not possible: it is possible to stream, and only release
plaintext from authenticated ciphertext.

Now, applications could have protected themselves from this attack if
they had backed out the message on MDC failure.  But, they didn't.
And, I'd argue that a major reason that they didn't was because this
type of attack is not well understood by application developers.
Application developers understand truncation.  But, ciphertext
modification is something that most have probably never heard of.
Since we can protect application developers from ciphertext
modification, I would argue that not doing so is negligent.

So, if we are distributing blame, and I'd rather not play that game,
then I'd place 90% of the blame on the WG and the PGP implementations,
and only 10% on the mail application developers.

Then why does it work with S/MIME? Do they get 90% too?

That brings us up to 190% of the blame, which might be called for, given that 
it is a major cluster, but I think it’s orthogonal to what we’re talking about 
here.

How about if we just work on AEAD instead of debating Efail? Especially since 
we agree on AEAD being needed.

        Jon


_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>