From nobody Sun May 21 16:43:11 2017 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE8581279EB for ; Sun, 21 May 2017 16:43:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.699 X-Spam-Level: X-Spam-Status: No, score=0.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PePgSSBXZFuW for ; Sun, 21 May 2017 16:43:09 -0700 (PDT) Received: from castro.crustytoothpaste.net (sandals-1-pt.tunnel.tserv8.dal1.ipv6.he.net [IPv6:2001:470:1f0e:3f1::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D1A61271DF for ; Sun, 21 May 2017 16:43:09 -0700 (PDT) Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id 676C7280AD for ; Sun, 21 May 2017 23:43:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1495410188; bh=tXoRJaZwma83i5zBepunxA8tZXsvAAMUrYussmaHBHM=; h=Date:From:To:Subject:From; b=j7zIngyayOVqxDhSyMVGBz4DhM5VKAoeZoI3UjaOj4xEpSlCBoyySHOyxgho4Nbwx C5vEOldlSFf2YyA6VBObBTwu6JGbd4qpWdygUkcNcq/BHGS7Nrb1y2wYDr0W1ZThXB swdbi2qd7iGpXBOM6nsIA3Zhe3O8obEZupVFcfwtL+R9cFXMdpjLlITqj9n7WUsCJW bJl76pMEe8g4ZK9oWSbtOYgyBkLysXYL9L9KU/kE9+eq3Jopv+Ksvo6wsCEZzZVqjL EwKQ6kWG0DMlDT2PRba6zN3FB529DXxZ40DUJv76seQhAIJAQAO41yNXcw/9+xzmKr LTsNV+F1oYOSUHX1wHlIWXYxMtGMJE+zC179NbTb2lFeWfUElG4ROUN2PbhJ+WLN4C FZ+lDmhOJRuqIk1VERg6DWLXCJcpakaBmtMDl7jdDC2+iq7xgbBAgNl8wk+VkoQfyb 0k6PN9D8t4ZGCZXSUzVW0N+CpPORHR6OPXwYfqNR1sZBPR1oSi5 Date: Sun, 21 May 2017 23:43:02 +0000 From: "brian m. carlson" To: openpgp@ietf.org Message-ID: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="vxymbidi4xmqsvb7" Content-Disposition: inline X-Machine: Running on genre using GNU/Linux on x86_64 (Linux kernel 4.9.0-3-amd64) User-Agent: NeoMutt/20170306 (1.8.0) Archived-At: Subject: [openpgp] AEAD encrypted data packet with EAX X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 May 2017 23:43:11 -0000 --vxymbidi4xmqsvb7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I have a proposed pull request for a streaming AEAD encrypted data packet using EAX mode[0]. I will send a patch shortly. EAX is a block cipher mode combining CTR mode and OMAC. It is similar to CCM and is considered secure. It can be easily implemented securely in a variety of languages using the CBC and CTR modes available in most cryptographic libraries. The packet allows for fixed-sized chunks from 64 bytes to 65536 bytes (or larger) in size and also permits streaming. It contains truncation detection at the cost of 16 bytes of buffering. I retained the AEAD algorithm octet so as not to need to overload one octet with cipher type and AEAD algorithm. This allows us to use something like Poly1305 with both AES and ChaCha20 in the future. I welcome feedback on this proposal. If it's determined to be viable, I'd also like to see adjustments to the SKESK and Secret Key packets to add AEAD support. [0] https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/4 --=20 brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204 --vxymbidi4xmqsvb7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.20 (GNU/Linux) iQIzBAABCgAdFiEEX8OngXdrJt+H9ww3v1NdgR9S9osFAlkiJgUACgkQv1NdgR9S 9otrLg/+P2ClhSdTILKAzwQgHK5J2DNhR8Fv0O7oKzwxpDtWPFqv+AJXRaLzvpZf VEsgAHt4u6yfHi0QGovps4GFBOXFksnfMvYkGUxvdp1yvb6NW2PXPXLnwOMk837l IOdap9LrDIwQ4+tkemp6d62w6z+UtC6stzopXIeqGkgv9BbtbY2zsrAKG+pVhDex VdD/iHRiM27u2s0XqD93ZLwrb8O+ot9iNbw3XjiUWc8XM6qsCRpDrPupg4/ppdI2 8XSIspfjkfr0qnXnijIBKWDV347TpNMbsz65nHQCdg4k7j7dhp5yD2dazbPOYZcD kcaSTJ2fLT0D/7DyK4pwrGNkDbryYCFvuSx7n2T9V4ShI1t0peFH9OjpV58uWwSp +dQTlvwuIgYBZu8UzqopPJhR7PBGZuk/qUSVYA2NKoAfbq4LhjFU8IwnG+Wmw2CX FzM5U/KHR1FIKixCoa5ei91Y5+JXvHnylBs18XobFGVkVd0mrI4b7GgacWaPmxy8 tRJCYskt0Pebru3WUiKz1SmWTbonxhc1jbrxgF248oOXEXyZVECSB35Mc0D0VLxT Wz9odH6w+qKyrElP8se6u7RCBRRhWfM7MjhxMnZGOHjlE8/b8Yn28gbMjXoRa+Yh +xg/hQF54JLA0dnM90H8YphFqZG5Qzv18uflo4tO6Xdvyx1R7dc= =Fb4A -----END PGP SIGNATURE----- --vxymbidi4xmqsvb7-- From nobody Sun May 21 16:44:33 2017 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D641C129AC7 for ; Sun, 21 May 2017 16:44:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.602 X-Spam-Level: X-Spam-Status: No, score=-0.602 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNa5IPQUdG1I for ; Sun, 21 May 2017 16:44:30 -0700 (PDT) Received: from castro.crustytoothpaste.net (castro.crustytoothpaste.net [75.10.60.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85E031294C4 for ; Sun, 21 May 2017 16:44:30 -0700 (PDT) Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id A5C5A280AD for ; Sun, 21 May 2017 23:44:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1495410269; bh=QO/hGL1mSXCP4kkWtR2AvQIAwgoD6uTSgLuA79q2C0w=; h=From:To:Subject:Date:In-Reply-To:References:From; b=pFyXTwEKPHOZROrcDtom8mCihGqf1qHVlzdGsj7s0CI2kPu6ac5URQfY0LIxCcSjd kxQUIAB0nydttWes+x6SFnNhGcASDqWbGKpSMvB02vwhfxY2mqdrilUSOAUlg2HDXF 6jhh5itjqLa7X0/ss8Gb807g+JKXmSxDv4iW9b05aoixzh1icAUfV4pa8nqApWzqhc eH+ulgUj1zMcf+JvSYCiSEggDkf0DQxnorE/jDGJTB/z8LKPriOu3VQiy9VI1fs8OM iI4fbbTger7oj2knp6bIF4ctyu2ZSS/ZYh3eTf+S7fzyXiajMbUMZTuGLUpA0c6/Rt 77uOPXx8SoHaM9CcHU4+Dn4Fs0m1K7actOtcEWJE9lAWGp/ln3wXW8rODZTUKYYo5b MHtZmICOhJ5LpGcLSUmaKKREdYXqjIiMWZBniFE0UlqsZJJhIcpvgIn4EPrEatEr5F Wo7GN0RD7KjXUo2Yb3afuPPwan+a1Lth8y76EMddXcBoTB6Junj From: "brian m. carlson" To: openpgp@ietf.org Date: Sun, 21 May 2017 23:44:21 +0000 Message-Id: <20170521234421.252088-1-sandals@crustytoothpaste.net> X-Mailer: git-send-email 2.13.0.303.g4ebf302169 In-Reply-To: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net> References: <20170521234302.gb3qc66zwwchr24j@genre.crustytoothpaste.net> Archived-At: Subject: [openpgp] [PATCH] Add AEAD Encrypted Data Packet with EAX X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 May 2017 23:44:32 -0000 --- middle.mkd | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ template.xml | 11 ++++++++ 2 files changed, 97 insertions(+) diff --git a/middle.mkd b/middle.mkd index c2447d5..b240a5e 100644 --- a/middle.mkd +++ b/middle.mkd @@ -2550,6 +2550,78 @@ packet length. The reason for this is that the hashing rules for modification detection include a one-octet tag and one-octet length in the data hash. While this is a bit restrictive, it reduces complexity. +## {5.14} AEAD Encrypted Data Packet (Tag 18) + +This packet contains data encrypted with an authenticated encryption and +additional data (AEAD) construction. When it has been decrypted, it +will typically contain other packets (often a Literal Data packet or +Compressed Data packet). + +The body of this packet consists of: + + * A one-octet version number. The only currently defined value + is 1. + + * A one-octet cipher algorithm. + + * A one-octet AEAD algorithm. + + * A one-octet chunk size. + + * A starting initialization vector of size specified by the AEAD + algorithm. This value MUST be unique and it MUST be unpredictable. + + * Encrypted data, the output of the selected symmetric-key cipher + operating in the given AEAD mode. + + * A final, summary authentication tag for the AEAD mode. + +An AEAD encrypted data packet consists of one or more chunks of data. +The plaintext of each chunk is of a size specified using the chunk size +octet using the method specified below. + +The encrypted data consists of the encryption of each chunk of +plaintext, followed immediately by the relevant authentication tag. If +the last chunk of plaintext is smaller than the chunk size, the +ciphertext for that data may be shorter; it is nevertheless followed by +a full authentication tag. + +For each chunk, the AEAD construction is given the packet header, +version number, cipher algorithm octet, AEAD algorithm octet, chunk size +octet, and an eight-octet, big-endian chunk index as additional +data. The index of the first chunk is zero. + +After the final chunk, the AEAD algorithm is used to produce a final +authentication tag encrypting the empty string. This AEAD instance is +given the additional data specified above, plus an eight-octet, +big-endian values specifying the total number of plaintext octets +encrypted. This allows detection of a truncated ciphertext. + +The chunk size octet specifies the size of chunks using the following +formula (in C), where c is the chunk size octet: + + chunk_size = ((uint64_t)1 << (c + 6)) + +An implementation MUST support chunk size octets with values from 0 +to 10. An implementation MAY support other chunk sizes. Chunk size +octets with values larger than 127 are reserved for future extensions. + +A new random initialization vector MUST be used for each message. + +### {5.14.1} EAX Mode + +The only currently defined AEAD algorithm is EAX Mode +[](#EAX). This algorithm can only use block ciphers with 16-octet +blocks. The starting initialization vector and authentication tag are +both 16 octets long. + +The nonce for EAX mode is computed by treating the starting +initialization vector as a 16-octet, big-endian value and +exclusive-oring the low eight octets of it with the chunk index. + +The security of EAX requires that the nonce is never reused, hence the +requirement that the starting initialization vector be unique. + # {6} Radix-64 Conversions As stated in the introduction, OpenPGP's underlying native @@ -3087,6 +3159,16 @@ require the use of SHA-1 with the exception of computing version 4 key fingerprints and for purposes of the MDC packet. Implementations SHOULD NOT use MD5 or RIPE-MD/160. +## {9.5} AEAD Algorithms + + ID Algorithm + -------- --------- + 1 EAX [](#EAX) + 100--110 Private/Experimental algorithm + +Implementations MUST implement EAX. Implementations MAY implement +other algorithms. + # {10} IANA Considerations OpenPGP is highly parameterized, and consequently there are a number @@ -4485,6 +4567,10 @@ SHOULD be rejected. - Although technically possible, the EdDSA algorithm MUST NOT be used with a digest algorithms weaker than SHA2-256. + - Implementations should consider limiting chunk sizes for AEAD + algorithms to avoid denial-of-service attacks when decrypting + messages. + OpenPGP was designed with security in mind, with many smart, intelligent people spending a lot of time thinking about the diff --git a/template.xml b/template.xml index 68651ba..85782ce 100644 --- a/template.xml +++ b/template.xml @@ -91,6 +91,17 @@ + + + + A Conventional Authenticated-Encryption Mode + + + + + + + A Public-Key Cryptosystem and a -- 2.13.0.303.g4ebf302169 From nobody Wed May 31 05:35:35 2017 Return-Path: <session-request@ietf.org> X-Original-To: openpgp@ietf.org Delivered-To: openpgp@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 401F312946D; Wed, 31 May 2017 05:35:33 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: IETF Meeting Session Request Tool <session-request@ietf.org> To: <session-request@ietf.org> Cc: ekr@rtfm.com, openpgp@ietf.org, barryleiba@gmail.com, openpgp-chairs@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.52.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <149623413325.19832.2021818773898273949.idtracker@ietfa.amsl.com> Date: Wed, 31 May 2017 05:35:33 -0700 Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/03qKebVau01v2LL1VEbmfAzv7qw> Subject: [openpgp] openpgp - Not having a session at IETF 99 X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.22 List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org> List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe> List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/> List-Post: <mailto:openpgp@ietf.org> List-Help: <mailto:openpgp-request@ietf.org?subject=help> List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe> X-List-Received-Date: Wed, 31 May 2017 12:35:33 -0000 Barry Leiba, a chair of the openpgp working group, indicated that the openpgp working group does not plan to hold a session at IETF 99. This message was generated and sent by the IETF Meeting Session Request Tool.