From owner-freebsd-security@FreeBSD.ORG Thu Jun 26 01:22:27 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AC517DEF for ; Thu, 26 Jun 2014 01:22:27 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6B1D22A6A for ; Thu, 26 Jun 2014 01:22:27 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s5Q1MQ5U048902 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 25 Jun 2014 18:22:26 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s5Q1MQ7f048901 for freebsd-security@FreeBSD.org; Wed, 25 Jun 2014 18:22:26 -0700 (PDT) (envelope-from jmg) Date: Wed, 25 Jun 2014 18:22:26 -0700 From: John-Mark Gurney To: freebsd-security@FreeBSD.org Subject: fast or slow crypto? Message-ID: <20140626012226.GX1560@funkthat.com> Mail-Followup-To: freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Wed, 25 Jun 2014 18:22:26 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2014 01:22:27 -0000 Subj is more limited by your attack profile, than purely fast crypto.. In some cases the crypto can be made reasonably fast while being secure against side channel analysis, but in other cases (GHASH) it's pretty much one (slow and secure) or the other (fast and insecure)... The question I have is what attack profile are we going for? Do we want to make this an option? The reason I ask is that I'm working on adding AES-GCM to FreeBSD, but the speed difference between the two is significant... We are looking at 35MB/sec for slow, vs. 234MB/sec for fast, almost 7x faster, for running the GHASH part of GCM... The fast one does help use tricks to try to prevent cache line snooping, but it turns out that you can snoop even on intra-cache line accesses (the first word of a cache line is accessed significantly faster than others on amd64 machines)... So, even the fast one isn't 100% secure... So, how do we address this? One idea I have had is to have both in the kernel, and then via a tuneable/sysctl/kernel compile option select which one gets used... This is both good and bad.. Choice is good, the bad part is that which ever choice we make be the default will be the wrong choice for a non-small group of our users... Hopefully now that side channel is well appreciated, that future crypto designs will not have this issue (here's looking at you ChaCha20/Poly1305) and this won't have to last that long... But till then, we still need to make the choice... Comments? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."