[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[openpgp] Chunked OpenPGP streams

Hi there,

It's convenient to use OpenPGP streams to avoid creation of temporary
files, as illustrated in the following pipeline:

    tar -c / | gpg -r $KEYID --sign --encrypt | ssh remote.example.org 'cat >backup.tar.gpg'

(using GnuPG [0] as OpenPGP implementation).  Unfortunately, since
integrity mechanisms are appended at the very end of the data stream,
the same technique cannot be used when decrypting and/or verifying a
data stream.  For instance

    gpg --decrypt backup.tar.gpg | tar -C /restore -x

could crash the system if an attacker has replaced ‘backup.tar.gpg’ with
a tar bomb.  The problem arises because unverified data is written to
the standard output, which is hard to avoid since the hash is computed
on the full data stream and is not available until the very end of the

I wonder if chunked streams could make their way to RFC4880bis instead.
The verification mechanism (MDC or data signature) would be added to
each chunk using the intermediate hash value, and a compatible
implementation would cache each chunk, update the hash context, and
*then* write down the chunk to the output File Descriptor *only* after
verifying its integrity.  (If there is not enough RAM to cache a chunk
one could always fallback to the creation of a temporary file.)
AFAICT using intermediate hash values is enough to cryptographically
glue the chunks together in an order preserving way.

What do you folks think?

[0] https://gnupg.org/

Attachment: signature.asc
Description: PGP signature

openpgp mailing list