> On Feb 12, 2017, at 5:06 PM, brian m. carlson <***@crustytoothpaste.net> wrote:
>
> I've opened a pull request that defines an AEAD encrypted data packet
> using GCM. This work is necessarily incomplete, because it doesn't
> define a new version of the symmetrically-encrypted data packet, which
> we'd want, and it doesn't define a new encoding for the secret key
> packet.
>
> GCM seems to be the uncontroversial choice here. It's used in TLS and
> other protocols, and it provides adequate security. It isn't encumbered
> by patents. It performs reasonably well.
>
> Other alternatives include OCB and CTR with HMAC. I personally object
> to OCB because it's patented, and while I like CTR with HMAC, it was my
> impression that the rest of the working group would not share my
> opinion.
>
> While I understand that we are not interested in adding general
> extensibility to the protocol, I opted to include an octet for the AEAD
> algorithm in case someone wants to define OCB or something like
> ChaCha20-Poly1305. ChaCha20 cannot use GCM, but it is a popular
> algorithm that performs well on many architectures and is well-suited to
> embedded systems.
>
> I've proposed this as a starting point and welcome further comments.

I'll request that another mode than GCM be used. In particular, I disagree with it being "uncontroversial." It's the most controversial mode you could pick.

GCM is very brittle. It breaks in very bad ways if you aren't careful with nonces/tags. There are many cases of people misusing it and getting worse than no security. I state that because if you *think* you're getting authenticated data, but it's actually been altered in transit, and that will likely cause issues in the receiving state machine.

This paper <https://eprint.iacr.org/2016/475.pdf> is all about real-world cases of unintentional misuse of GCM.

Furthermore, the multiply in GHASH is slow in software. Yes, there are hardware instructions in high-end Intel and ARM processors, but if you do it on lower-end processors or in something like javascript, it's a pain. If you have to conditionally do hardware or software, it makes implementation more difficult.

I think GCM is fine to use in some circumstances, like high-speed VPN boxes, but it's the AEAD mode that comes from ACME. If you are Wile E. Coyote it is going to blow up in your face.

Perhaps most rigorously, the real problem with GCM is GHASH. Anything with GHASH is worrisome.

Your mention of alternatives was incomplete, so I'll bring alternatives up.

We all really want to use OCB. If you look at <http://web.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm> which is Rogaway's page on it. While it is patented, there are some broad license grants. There's one for open source software, as well as one for non-military software. He's also given one OpenSSL. I'll bet that if someone asked him for a grant for the OpenPGP protocol, he'd probably do it. As it is, the large-swath grants for it (open source, and non-military) suggest that we could either say that's good enough for us or ask for another grant. But if we don't want to, we don't want to. OCB is the mode everyone really wants to use, but I don't want get wrapped around the axle on the controversy here, either.

Beyond OCB, though, there are a lot of alternatives:

* CCM. CCM has been my go-to for AEAD in many cases. It is easy to understand and works well. It is easy to get right. I think that this is an important property, being easy to get right. Its major disadvantage, being a two-pass algorithm, is not that bad for OpenPGP because we have streaming packets in the core protocol. Nonetheless, Rogaway's own paper about it (see the OCB link above for it) is not a bad paper, but remember that Rogaway is arguing against CCM in favor of either OCB or his own EAX.

* ChaCha20+Poly1305. Many of the cool kids are using it. It's fast, reasonably okay to implement, it's in TLS 1.3, and wouldn't be a bad choice. The major criticism I can see is that ChaCha20 is a stream cipher not a streaming mode on a block cipher (like AES or Twofish or whatever). I think most of the legitimate criticisms of it are blunted by its being used a lot in the TLS world.

* SIV. SIV is another Rogaway mode, it's unencumbered, has resistance to misuse, and I can't think of anything bad to say about it other than a plea not to use the GCM version because GHASH. Many cool kids are using it.

* EAX. I tend to discount EAX because it's not OCB, not CCM (which was created to be Not OCB), and not SIV. I wouldn't scream, though. I just think that in this day, it doesn't have an advantage over any non-GCM AEAD thing.

* CTR+HMAC. Like you, I mention it for completeness. But while I think that any of the above would be better, I think it is again better than GCM. It's not sexy but it works, and it's harder to screw up than many things.

So to sum up, I think that GCM is actually controversial and dangerous for generic use.

Jon

---
middle.mkd | 46 ++++++++++++++++++++++++++++++++++++++++++++++
template.xml | 11 +++++++++++
2 files changed, 57 insertions(+)

diff --git a/middle.mkd b/middle.mkd
index 5182c7d..e842938 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -2483,6 +2483,42 @@ packet length. The reason for this is that the hashing rules for
modification detection include a one-octet tag and one-octet length in
the data hash. While this is a bit restrictive, it reduces complexity.

+## {5.14} AEAD Encrypted Data Packet (Tag 18)
+
+This packet contains data encrypted with an authenticated encryption and
+additional data (AEAD) construction. When it has been decrypted, it
+will typically contain other packets (often a Literal Data packet or
+Compressed Data packet).
+
+The body of this packet consists of:
+
+ * A one-octet version number. The only currently defined value
+ is 1.
+
+ * A one-octet cipher algorithm.
+
+ * A one-octet AEAD algorithm.
+
+ * An initialization vector of size specified by the AEAD algorithm.
+ This value MUST be unique and it MUST be unpredictable.
+
+ * Encrypted data, the output of the selected symmetric-key cipher
+ operating in the given AEAD mode.
+
+ * The authentication tag for the AEAD mode.
+
+The AEAD construction is given the packet header, version number, cipher
+algorithm octet, and AEAD algorithm octet as additional data.
+
+### {5.14.1} Galois Counter Mode
+
+The only currently defined AEAD algorithm is Galois Counter Mode
+[](#GCM). This algorithm can only use block ciphers with 16-byte
+blocks. The initialization vector is 12 bytes long.
+
+The security of GCM requires that the counter is never reused, hence the
+requirement that the initialization vector be unique.
+
# {6} Radix-64 Conversions

As stated in the introduction, OpenPGP's underlying native
@@ -3014,6 +3050,16 @@ algorithm.
Implementations MUST implement SHA-1. Implementations MAY implement
other algorithms. MD5 is deprecated.

+## {9.5} AEAD Algorithms
+
+ ID Algorithm
+ -------- ---------
+ 1 GCM [](#GCM)
+ 100--110 Private/Experimental algorithm
+
+Implementations MUST implement GCM. Implementations MAY implement
+other algorithms.
+
# {10} IANA Considerations

OpenPGP is highly parameterized, and consequently there are a number
diff --git a/template.xml b/template.xml
index 9ea1582..f52521e 100644
--- a/template.xml
+++ b/template.xml
@@ -144,6 +144,17 @@
</front>
</reference>

+ <reference anchor='GCM'>
+ <front>
+ <title>Recommendation for Block Cipher Modes of Operation:
+ Galois/Counter Mode (GCM) and GMAC (SP 800-38D)</title>
+ <author>
+ <organization>NIST</organization>
+ </author>
+ <date year="2007" month="November" />
+ </front>
+ </reference>
+
<reference anchor="HAC">
<front>
<title>Handbook of Applied Cryptography</title>
--
2.11.0

Hi,

putting the patent mess aside, there are also a few other question
involved in a new encryption mode:

1. Exactly one mode defined by a new packet number
or a new packet with a parameter to define the mode?

2. Bind the mode to a certain cipher algorithm? For example only allow
a mode with AES.

3. How can we do early detection of corruption? When decrypting
several gigs we should be able to detect corrupted data after having
processed, say, one gig. Shall such a feature be configurable?
Shall we link it to partial length headers.

My ideas here are:

re 1. A new packet with a parameter to define the actual mode. Make
one mode mandatory. Additional parameters should have a length
header so that parsers have an easier way to parse the header
even if they don't implement that mode.

The rational for this is to allow for some experimentation and
separate the packet format from the finally chosen mandatory
mode.

re 2: Binding a mode to an algorithm makes testing easier. This will
also make implementing stream cipher modes easier because it
allows to blur the distinction between cipher algorithm and mode.

re 3: The simplest idea would be to use fixed chunks of the ciphertext
and either link them together using a counter or the hash of the
previous authentication tag. The packet header would give the
length of the chunks in blocks. It needs to be decided whether a
final one-block chunk is okay.



Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.