lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 07 Jan 2017 16:37:36 -0500 (EST)
From:   David Miller <davem@...emloft.net>
To:     Jason@...c4.com
Cc:     ebiggers3@...il.com, jeanphilippe.aumasson@...il.com,
        gregkh@...uxfoundation.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, ak@...ux.intel.com,
        David.Laight@...lab.com, tom@...bertland.com,
        hannes@...essinduktion.org, eric.dumazet@...il.com
Subject: Re: [PATCH v2 net-next 3/4] secure_seq: use SipHash in place of MD5

From: "Jason A. Donenfeld" <Jason@...c4.com>
Date: Sat,  7 Jan 2017 15:40:56 +0100

> This gives a clear speed and security improvement. Siphash is both
> faster and is more solid crypto than the aging MD5.
> 
> Rather than manually filling MD5 buffers, for IPv6, we simply create
> a layout by a simple anonymous struct, for which gcc generates
> rather efficient code. For IPv4, we pass the values directly to the
> short input convenience functions.
> 
> 64-bit x86_64:
> [    1.683628] secure_tcpv6_sequence_number_md5# cycles: 99563527
> [    1.717350] secure_tcp_sequence_number_md5# cycles: 92890502
> [    1.741968] secure_tcpv6_sequence_number_siphash# cycles: 67825362
> [    1.762048] secure_tcp_sequence_number_siphash# cycles: 67485526
> 
> 32-bit x86:
> [    1.600012] secure_tcpv6_sequence_number_md5# cycles: 103227892
> [    1.634219] secure_tcp_sequence_number_md5# cycles: 94732544
> [    1.669102] secure_tcpv6_sequence_number_siphash# cycles: 96299384
> [    1.700165] secure_tcp_sequence_number_siphash# cycles: 86015473
> 
> Signed-off-by: Jason A. Donenfeld <Jason@...c4.com>

This and the next patch are a real shame, performance wise, on cpus
that have single-instruction SHA1 and MD5 implementations.  Sparc64
has both, and I believe x86_64 can do SHA1 these days.

It took so long to get those instructions into real silicon, and then
have software implemented to make use of them as well.

Who knows when we'll see SipHash widely deployed in any instruction
set, if at all, right?  And by that time we'll possibly find out that
"Oh shit, this SipHash thing has flaws!" and we'll need
DIPPY_DO_DA_HASH and thus be forced back to a software implementation
again.

I understand the reasons why these patches are being proposed, I just
thought I'd mention the issue of cpus that implement secure hash
algorithm instructions.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ