|
|
|
|
|
|
by nmadden
2367 days ago
|
|
|
An example of why I think this is important. Adam Langley’s post that is linked from the spec [1] talks about cases where people want to do things like: decrypt file | tar xz
Elsewhere in these comments somebody also mentioned the case of decrypt file | sh
Presumably the whole point of implementing the STREAM online AEAD mode is to support these kinds of cases; only releasing chunks of plaintext after verification.But these use-cases are only secure in age when using the scrypt decryption option or if you have first verified a signature over the entire age-encrypted archive (killing the streaming use-case). The reason is that the X25519 age variant provides no sender authentication at all, and so an attacker doesn’t need to tamper with the archive: they can just generate their own ephemeral key pair and replace the entire thing with data of their choosing. Age has no way of detecting such an attack. You absolutely need origin/sender authentication built directly into the tool to handle these cases securely. [1]: https://www.imperialviolet.org/2014/06/27/streamingencryptio... |
|
|