From owner-freebsd-geom@FreeBSD.ORG Wed Jan 14 08:19:14 2015 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A7F708D4; Wed, 14 Jan 2015 08:19:14 +0000 (UTC) Received: from mail-pd0-x22f.google.com (mail-pd0-x22f.google.com [IPv6:2607:f8b0:400e:c02::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 70C3FAED; Wed, 14 Jan 2015 08:19:14 +0000 (UTC) Received: by mail-pd0-f175.google.com with SMTP id g10so8469922pdj.6; Wed, 14 Jan 2015 00:19:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=z39auAyU1xAIfcO+9x6ZRvEFBILqgI+UTjBpEL6MgQ4=; b=MMuKIXXXI01+z0Q8wCazepjkdzNr2jrkWZMl/zZLjh4abnAbedbCuPcVGYcA5ckBtG v2lAnsJ/eD0mNRNEf2due18vHsSIO0DYBMsCiiIeJ43tak1QrXK/Yyomixpq9+KTBmmx 1JcN4MZDWJMxaFPszNzOHtqMNU5hpdUM+3QBPxRIcFeyllgq+Pih7obNkKQs6dnb/LJa 5Z/4YClMQnZdhWuxhfuMk9lVQEk7Gb9VuAOPkCqlzX21j6UdRs0R1nYVagMrktfZT3+Z fRjydn8lUSUPqzhVolEC6xQInHV+ymwO7sKtEwDr/N3yAG6DuMp5REOGvVfqvgAXUFWX +daA== X-Received: by 10.66.138.72 with SMTP id qo8mr3962018pab.84.1421223553973; Wed, 14 Jan 2015 00:19:13 -0800 (PST) Received: from localhost (c-76-21-76-83.hsd1.ca.comcast.net. [76.21.76.83]) by mx.google.com with ESMTPSA id ig1sm18952791pbc.41.2015.01.14.00.19.12 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Jan 2015 00:19:13 -0800 (PST) Sender: Gleb Kurtsou Date: Wed, 14 Jan 2015 00:20:19 -0800 From: 'Gleb Kurtsou' To: rozhuk.im@gmail.com Subject: Re: ChaCha8/12/20 and GEOM ELI tests Message-ID: <20150114082019.GA3669@reks> Mail-Followup-To: rozhuk.im@gmail.com, 'Adam Nowacki' , freebsd-hackers@freebsd.org, freebsd-geom@FreeBSD.org References: <54b33bfa.e31b980a.3e5d.ffffc823@mx.google.com> <54B4AE55.9090205@platinum.linux.pl> <54b5d299.4914980a.61cd.43a6@mx.google.com> <20150114041708.GA3189@reks> <54b601ec.0515980a.0c9c.47e1@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <54b601ec.0515980a.0c9c.47e1@mx.google.com> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-hackers@freebsd.org, freebsd-geom@FreeBSD.org, 'Adam Nowacki' X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2015 08:19:14 -0000 On (14/01/2015 08:43), rozhuk.im@gmail.com wrote: > > On (14/01/2015 05:21), rozhuk.im@gmail.com wrote: > > > > Maybe faster but a stream cipher is unusable for disk encryption - > > > > iv is derived from sector number and doesn't change. Being able to > > > > write a known plaintext and read resulting ciphertext allows you to > > > > recover the cipher stream and decrypt any past or future data > > stored > > > > on that sector. > > > > > > Depends on the capabilities of the attacker. > > > > > > To be able to continuously read encrypted sectors for data collection > > > is too much. > > > > I disagree. It's the most basic attack scenario. Assuming attacker was > > able to get access to encrypted disk once, odds are high it may happen > > again. > > From different types of threats, there are various means of protection. > AES-XTC more universal solution, encryption ChaSha more specialized. > Each solution has its pluses and minuses. "various means of protection" is rather confusing. It's either acceptable for disk encryption or not. > AES too slow for me, and options when someone magically going to read my encrypted disk excluded. > In my particular case. It's widely accepted threat model (as was also mentioned elsewhere). So it's rather your particular use case that has magic vibe to it. > I think there will a lot of cases when you need the maximum speed of encryption and all the other factors are not important or unlikely. > > For example, the value of the data may be too low to take the time to decrypt, and the data can be very much and you want to write them down quickly. > > > > > Ability to read encrypted sectors has a transmission network, for > > example when the container=disk is stored somewhere in the cloud. > > > > > > In many cases, the attacker gets Encrypted disk along with other > > equipment, often in the off state. > > > Without encryption keys and the ability to write / read through the > > GELI. > > > > > > I do not see any weaknesses stream ciphers in cases when the attacker > > is not able to access the disk when it is mounted in the GEOM GELI. > > > > > > Another possibility is the use of ChaCha (without XTS) - encryption > > > swap file: there every time a new key is generated, besides the speed > > > is particularly important. > > > > Stream cipher (or similarly functioning block cipher mode) should not > > be used for disk encryption. IMHO swap encryption hardly justifies > > adding insecure encryption mode to geli. Fast swap is certainly nice to > > have, but rather remains a snake oil, system will remain trashed due to > > swapping no matter how fast swap is. > > Can you describe what is weak encryption swap with ChaCha? Stream cipher, as is, is not acceptable for disk encryption. I think we all agree on that. It remains secure as soon as the same key stream is not used twice. By writing data to the same sector one breaks this requirement. I'm not objecting that there is a possibility of building swap encryption on top of stream cipher, but that is likely not to be trivial and would require careful design review. Although I don't see how block device "encrypted" with stream cipher can be secure under assumption that attacker has access to the disk. > > > These aspects of the application must necessarily be reflected in the > > documentation. > > > > > > > > > There are objections to add ChaCha and XChaCha (without XTS) in GEOM > > GELI? > > > > I strongly object. > > Adam Nowacki already explained why XTS can not be used with ChaCha, I realized my mistake. > Now talking about ChaCha/XChaCha without(!!!) XTS. Badly broken for me :) BTW You may want to get rid of SHA in g_eli_crypto_ivgen() for ChaCha in pursue for yet higher performance. As far as I remember Salsa20 has this nice property of letting one start encryption from arbitrary offset in the stream, I assumed that you are using the same in ChaCha for geli. Although having looked at the code it is not that obvious what is going on. There is a method to set iv being used, but not to change counter (stream offset). Is that intentional? Do we reset key for each geli sector to be encrypted? P.S. My objection should only be considered merely my personal opinion. You might have better luck contacting security team directly.