From owner-freebsd-hackers@FreeBSD.ORG Wed Jan 14 05:25:46 2015 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7DD5EEF; Wed, 14 Jan 2015 05:25:46 +0000 (UTC) Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 44FF67C4; Wed, 14 Jan 2015 05:25:46 +0000 (UTC) Received: by mail-pd0-f177.google.com with SMTP id ft15so7654689pdb.8; Tue, 13 Jan 2015 21:25:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=TlxlDMH+iv+RU7IP7qPiknWeyPjnTQb/aCCjQR+KKmA=; b=E0agUvY+5Ea2uJyftX5egvBVPOYOTWTx1/Z+a9dM1zZTwQFXi9XbWhsqjdhA3nivTU Cgr9yUjWPBKRLTkSjlfHokQqJxGxYiH+Bx133W0soKeiqVgNK4fh1+rQ4HtTqgGBPnrn 0091Us6gny6iAwkcwk+KhJXs7UxSZxrQUokp/jjlUmqK6DIA4t8GLVV3+eTCSz9goKA5 sQ1Rp4IKMNowwBglE81ko9p6odS2IIe28hrd+/vS8aUI6H6rPoOI9sqNVc/mgT7vnvrA IiPP8V5XWvLiNRZgE8vP1iHH9VUlENUw1iM6f0TCw114Nk4PK3YSWTlDocLTh/yemWFK AJVg== X-Received: by 10.66.181.136 with SMTP id dw8mr2807311pac.117.1421213145812; Tue, 13 Jan 2015 21:25:45 -0800 (PST) Received: from [172.20.10.2] ([172.56.40.24]) by mx.google.com with ESMTPSA id ku12sm18714862pab.39.2015.01.13.21.25.43 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 13 Jan 2015 21:25:45 -0800 (PST) Subject: Re: ChaCha8/12/20 and GEOM ELI tests Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_E97B72A1-5F74-45E8-A7F5-D4A9E766D7DB"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail 2.5b4 From: Alexey Ivanov In-Reply-To: <20150114041708.GA3189@reks> Date: Tue, 13 Jan 2015 21:25:36 -0800 Message-Id: <29DB9466-3DF9-4191-9476-C46BF350848D@gmail.com> References: <54b33bfa.e31b980a.3e5d.ffffc823@mx.google.com> <54B4AE55.9090205@platinum.linux.pl> <54b5d299.4914980a.61cd.43a6@mx.google.com> <20150114041708.GA3189@reks> To: rozhuk.im@gmail.com, Gleb Kurtsou X-Mailer: Apple Mail (2.1993) Cc: freebsd-hackers@freebsd.org, Adam Nowacki , freebsd-geom@FreeBSD.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2015 05:25:46 -0000 --Apple-Mail=_E97B72A1-5F74-45E8-A7F5-D4A9E766D7DB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jan 13, 2015, at 8:17 PM, Gleb Kurtsou wrote: >=20 > On (14/01/2015 05:21), rozhuk.im@gmail.com wrote: >>> Maybe faster but a stream cipher is unusable for disk encryption - = iv >>> is derived from sector number and doesn't change. Being able to = write a >>> known plaintext and read resulting ciphertext allows you to recover = the >>> cipher stream and decrypt any past or future data stored on that >>> sector. >>=20 >> Depends on the capabilities of the attacker. >>=20 >> To be able to continuously read encrypted sectors for data collection >> is too much. >=20 > I disagree. It's the most basic attack scenario. Assuming attacker was > able to get access to encrypted disk once, odds are high it may happen > again. Agreed: In day to day life if anyone had an ability to read content off = laptop=E2=80=99s hdd when it is hibernated - he would break the = encryption. In server world if one has access to two HDDs from the same raid1 from = different points in time - he also will have the ability to decrypt = data. >=20 >=20 >> Ability to read encrypted sectors has a transmission network, for = example when the container=3Ddisk is stored somewhere in the cloud. >>=20 >> In many cases, the attacker gets Encrypted disk along with other = equipment, often in the off state. >> Without encryption keys and the ability to write / read through the = GELI. >>=20 >> I do not see any weaknesses stream ciphers in cases when the attacker = is not able to access the disk when it is mounted in the GEOM GELI. >>=20 >> Another possibility is the use of ChaCha (without XTS) - encryption >> swap file: there every time a new key is generated, besides the speed >> is particularly important. >=20 > Stream cipher (or similarly functioning block cipher mode) should not = be > used for disk encryption. IMHO swap encryption hardly justifies adding > insecure encryption mode to geli. Fast swap is certainly nice to have, > but rather remains a snake oil, system will remain trashed due to > swapping no matter how fast swap is. Agreed again, if one really wants to add stream cipher he should then = securely generate random IV and write it to disk along with the data = (e.g. how g_eli_integrity.c does for HMAC, or even something simpler = since one does not have a requirement of storing IV on the same sector = as data) >=20 >=20 >> These aspects of the application must necessarily be reflected in the = documentation. >>=20 >>=20 >> There are objections to add ChaCha and XChaCha (without XTS) in GEOM = GELI? >=20 > I strongly object. Yep, though having ChaCha as a replacement for arc4 in both = userland[1][2] and kernel would be nice. [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D182610 [2] http://marc.info/?l=3Dopenbsd-tech&m=3D141807224826859&w=3D2 >=20 > Having XTS mode for a stream cipher in the first place looks really = fishy.. >=20 > Originally encryption is defined as: > T =3D AES-ENC(key2, i) (*) alpha_j > PP =3D P (*) T > CC =3D AES-ENC(key1, PP) > C =3D CC (*) T >=20 > In stream cipher case: > T =3D CHACHA(key2, state2) (*) i (*) alpha_j > PP =3D P (*) T > CC =3D CHACHA(key1, state1) (*) PP > C =3D CC (*) T >=20 > CC =3D CHACHA(key1, state1) (*) P (*) T > C =3D CC (*) T >=20 > C =3D CHACHA(key1, state1) (*) P >=20 > It doesn't depend on i, j or key2. state1 should be the same as well. >=20 > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to = "freebsd-hackers-unsubscribe@freebsd.org" --Apple-Mail=_E97B72A1-5F74-45E8-A7F5-D4A9E766D7DB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUtf3VAAoJECvXQw+IBr2abfcP/Ag+K0OOlD63DGyNcM00bQMs BX130Ek+km9tPCgRNTEVMWTgcSET0FHLv/UcdLmuQT7nzPk8bBgMUpL4cMfG+G/x w4e86yGF6ltpYTHDzUdxmjjUC2udzN7wUEesZg/DEOUJdSSEYFLXEvwSk/YxCo9J qnVKf9mbkBIyaIpfkb2i9uF3LE3KA4whpqhVMKV0RpiZ14uY6thj3SGw/l+X/64q 8fAKcWdkGleVyYiR72Hd+vpCMxqnBeVMzMGXd6RxpRZh0jdZvJ1RDOCk1t5Fuoly OdYzd31b8OUbGWxzCv6/6CVY4qPi6LaTAYWTu04M6rddvgFYfc1Yz6eSRaI4w8Bi 1gUi87OSHFG6EsUkpgXDMjhqKNKn484HKsFGtzO3AdGwaQNE0yrHDiePyk8Afych 0aOTVD8RzGGYdvimubuTD9jd6ud8LVXr+Pce62LYbX7RfGhUYiuKmx8siYRrnItO byeZDeBb/WMYh3AngDGF/aeG6yqbf9BALCvmMfUHohzPyQHOKIlt4iLZtigDNe7K dWyN/iNj0ZpEC9cwKyJVYItN2HhboonIsM/Fk8w1nGtrQWR080udweWHH4jMnint hr6CBdF1VyE7Di3+iCmGDZyy1njA1WqvLf3v+rJKhkvrVwVXAbWyHOvlgQ8vNfSz 1VJXu14iAlmxhNtsYAVT =WSPn -----END PGP SIGNATURE----- --Apple-Mail=_E97B72A1-5F74-45E8-A7F5-D4A9E766D7DB--