From owner-freebsd-security@FreeBSD.ORG Sat Jun 28 11:10:39 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 294EBF91 for ; Sat, 28 Jun 2014 11:10:39 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0938D2D1D for ; Sat, 28 Jun 2014 11:10:38 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s5SBAbwM094013 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 28 Jun 2014 04:10:37 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s5SBAbCV094012 for freebsd-security@FreeBSD.org; Sat, 28 Jun 2014 04:10:37 -0700 (PDT) (envelope-from jmg) Date: Sat, 28 Jun 2014 04:10:37 -0700 From: John-Mark Gurney To: freebsd-security@FreeBSD.org Subject: Re: fast or slow crypto? Message-ID: <20140628111037.GJ1560@funkthat.com> Mail-Followup-To: freebsd-security@FreeBSD.org References: <20140626012226.GX1560@funkthat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140626012226.GX1560@funkthat.com> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Sat, 28 Jun 2014 04:10:37 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jun 2014 11:10:39 -0000 John-Mark Gurney wrote this message on Wed, Jun 25, 2014 at 18:22 -0700: > Subj is more limited by your attack profile, than purely fast crypto.. > In some cases the crypto can be made reasonably fast while being > secure against side channel analysis, but in other cases (GHASH) it's > pretty much one (slow and secure) or the other (fast and insecure)... So, one point I somewhat forget in this is that the version of software AES in the kernel (that this new GHASH would go with) is vulnerable to side-channel attacks... So, we are already in the fast and less secure side of the equation.. There are lots of interesting optimizations that can made, including a version of AES that uses SSE registers, is constant time, and faster than the Sbox lookup version... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."