[Spasm] Chunking ciphertexts
Adam Langley <agl@imperialviolet.org> Fri, 02 September 2016 00:22 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4913712D7A9 for <spasm@ietfa.amsl.com>; Thu, 1 Sep 2016 17:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCbNbq6dp-37 for <spasm@ietfa.amsl.com>; Thu, 1 Sep 2016 17:22:20 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24A3412D7A2 for <spasm@ietf.org>; Thu, 1 Sep 2016 17:22:20 -0700 (PDT)
Received: by mail-qk0-x234.google.com with SMTP id v123so102893043qkh.2 for <spasm@ietf.org>; Thu, 01 Sep 2016 17:22:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to; bh=rBBc3Zu7Cg5sy07HLsSX50YYuko4hf/UZPC8GK41oL8=; b=cq1D58vZOU/yL/4spnEm7f58GfKikONQXYHuHDUpSa8yXbHpYIR7CYi44RjnjQt/Wp wiR37sVcq2/CMhpbUSjVQAY5vs8AIQe4O8FNam4V339dISA2OskVJLCUWq1DBk04+eKs FBFnf/edRo/YYZXn1H+ZmajV/Gq7UcPt6HUDzo9++EQE5l2TqC5nWIuxd7fLidlQZgtu Dsf3v28jtABqY0gDsf+Uqe0FID3VIixuoq06Qsu+J2rj9etvtyfkIh1QBvElsBQHDi6C qMixTMJhsckBjBFvZea9m80RCNGvz0neAh9UEFL+IFbTqrI9VWzKjeKkze2L4twvXRJv uMGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=rBBc3Zu7Cg5sy07HLsSX50YYuko4hf/UZPC8GK41oL8=; b=AlBPQ3Mxo2zDSXgESpmPM/jP3TAih4fA3rU8sEYdc9Cf0N3caD48Ya9ux9BvenW2yB bmYBEpAXZ1LgRjq6D+L3zkud2OPAm0Jf4mmKvskdSqAG0oaYDIgfvlROnZGz98ZCOgco y5GNvoSw58UvyYs/yuCadoPBjqvt58hT56HzWyPKraX11SviUNCIvOkkGpnseuUcRFBL GY/qrKQTdR5Xxp4ze/koMJupk80gESjfYjNCML+wnBS0DWpFsIBgYwpld2X5qdWfwl+9 od1Ty8nAIwokfxDpy2yyn4nYYHAM6lkLHo+Fclx9e9Z0Iky6bHPPlDh8TeqxrAMNZ5aq cGaw==
X-Gm-Message-State: AE9vXwPu+U/dhg/Nu0Go7mlqxlcAAL3yGYSk2Rq3zPmKdmtr4Q7v+QJfKEAu8WXrA2uu7Zn0iTlyYGp1MOljvQ==
X-Received: by 10.55.18.148 with SMTP id 20mr7534131qks.210.1472775739023; Thu, 01 Sep 2016 17:22:19 -0700 (PDT)
MIME-Version: 1.0
Sender: alangley@gmail.com
Received: by 10.200.36.199 with HTTP; Thu, 1 Sep 2016 17:22:18 -0700 (PDT)
From: Adam Langley <agl@imperialviolet.org>
Date: Thu, 01 Sep 2016 17:22:18 -0700
X-Google-Sender-Auth: U8Vo11iHrLR9fhAtKjd2R-v9Tdg
Message-ID: <CAMfhd9VyNzoR1F8zUaxqni0RAD=n3VtPF9ku0phkod2j+CBD+Q@mail.gmail.com>
To: spasm@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/QKbdr01z4dq20T7aKdlfDNVHq_c>
Subject: [Spasm] Chunking ciphertexts
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Sep 2016 00:22:23 -0000
Since the WG is currently considering changes to S/MIME, I'd like to mention the benefits of chunking ciphertexts. (Or, rather, the problems with not chunking them.) As I understand it, S/MIME and associated standards typically encrypt payloads as a single ciphertext (i.e. RFC 5084). Since the plaintexts might be quite large, this encourages implementations to decrypt these ciphertexts in a "streaming" fashion, i.e. they return plaintext before it's authenticated. Encouraging APIs that return unauthenticated plaintext is an ecosystem cost since such APIs are dangerous. One similarity is with the MAC-then-encrypt constructions used in TLS, which caused many problems by processing unauthenticated ciphertext. At a higher level, it's not hard to find people on the internet suggesting things like: gpg -d your_archive.tgz.gpg | tar xz because the gpg command also provides a "streaming" interface. (http://askubuntu.com/questions/95920/encrypt-tar-gz-file-on-create) With constructions like AES-GCM it's, of course, very easy to manipulate the plaintext at will if the application doesn't authenticate it before processing. Even if the application is careful not to "release" plaintext to the UI until the authenticity has been established, a streaming design exposes more program attack surface. By normalising large ciphertexts and thus streaming APIs, the next protocol that comes along is more likely to use them without realising the issues and thus the problem persists. Preferably, plaintext inputs would be chunked into reasonably large parts (say 16KiB) and encrypted separately. The chunks only need to be large enough that the overhead from the additional authenticators is negligible. With such a design, large messages can be incrementally processed without having to deal with unauthenticated plaintext, and AEAD APIs can be safer. (Not to mention that larger messages can be processed since AES-GCM, for one, has a ~64GiB limit for a single plaintext.) Some thought is needed to ensure that the chunks are in the correct order (i.e. by counting nonces), that the first chunk should be first (i.e. by starting the nonce at zero) and that the last chunk should be last (i.e. by appending an empty, terminator chunk with special additional data). But that's not hard. Even with such a design it's still the case that an attacker can cause the message to be detectably truncated. If you want to aim higher, an all-or-nothing transform can be used, although that requires two passes over the input and I understand if it's sufficiently problematic that you don't want to do that. Cheers AGL -- Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
- [Spasm] Chunking ciphertexts Adam Langley
- Re: [Spasm] Chunking ciphertexts Wei Chuang
- Re: [Spasm] Chunking ciphertexts Russ Housley
- Re: [Spasm] [Curdle] Chunking ciphertexts Russ Housley
- Re: [Spasm] Chunking ciphertexts Jim Schaad
- Re: [Spasm] Chunking ciphertexts Adam Langley
- Re: [Spasm] Chunking ciphertexts Jim Schaad
- Re: [Spasm] Chunking ciphertexts Adam Langley