[wolf550e]

You can run chacha20-poly1305 decryption without verifying the MAC, and accept that an adversary can accurately bitflip any and all bits they want. Normal tools don't have command line flags for that, but a recovery tool can do that no problem using the same exact code as age.

[upofadown]

If that were true, would that then mean that age would be malleable by flipping around and deleting and duplicating blocks? How does it ensure continuity without preventing recovery of blocks subsequent to the bad one? I have not dug into the age code to figure out how the encryption works so I am guessing here.

[tptacek]

I'm not sure you understand what the previous commenter was suggesting. They're saying the receiver of an `age` message could, in theory, skip authenticating the ciphertext. They would have to do so deliberately (so deliberately that the code to do it doesn't exist), and the entire point of doing so would be to defeat message security in an attempt to do data recovery.

I think you should probably dig into the age code before writing posts about why PGP is better than age. The question of whether adversaries can modify age messages in transit is a pretty basic one.

[upofadown]

The actual damaged 64K age blocks would likely be unrecoverable after the start of the damage unless the chacha20-poly1305 ended being self synchronizing as it was used (as opposed to the CFB that OpenPGP specifies). The question I can't answer is if the undamaged 64K age blocks would then be recoverable. There might be just a counter, but you could instead (also) make a particular block dependent on the previous one(s).

[wolf550e]

Do you understand that chacha20 is CTR? A bit flip only affects that single bit, does not propagate to any other bits?

[upofadown]

From that can I get that an age recovery utility would need to detect missing data and would then need to insert dummy blocks (or the equivalent)? I guess there would have to be an minor element of brute force involved as there would be no easy way to distinguish bad blocks from the blocks after the missing chunk.