[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201204181317.GD577125@mit.edu>
Date: Fri, 4 Dec 2020 13:13:17 -0500
From: "Theodore Y. Ts'o" <tytso@....edu>
To: David Howells <dhowells@...hat.com>
Cc: Chuck Lever <chuck.lever@...cle.com>,
Bruce Fields <bfields@...ldses.org>,
CIFS <linux-cifs@...r.kernel.org>,
Linux NFS Mailing List <linux-nfs@...r.kernel.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Trond Myklebust <trond.myklebust@...merspace.com>,
linux-crypto@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-afs@...ts.infradead.org
Subject: Re: Why the auxiliary cipher in gss_krb5_crypto.c?
On Fri, Dec 04, 2020 at 02:59:35PM +0000, David Howells wrote:
> Hi Chuck, Bruce,
>
> Why is gss_krb5_crypto.c using an auxiliary cipher? For reference, the
> gss_krb5_aes_encrypt() code looks like the attached.
>
> From what I can tell, in AES mode, the difference between the main cipher and
> the auxiliary cipher is that the latter is "cbc(aes)" whereas the former is
> "cts(cbc(aes))" - but they have the same key.
>
> Reading up on CTS, I'm guessing the reason it's like this is that CTS is the
> same as the non-CTS, except for the last two blocks, but the non-CTS one is
> more efficient.
The reason to use CTS is if you don't want to expand the size of the
cipher text to the cipher block size. e.g., if you have a 53 byte
plaintext, and you can't afford to let the ciphertext be 56 bytes, the
cryptographic engineer will reach for CTS instead of CBC.
So that probably explains the explanation to use CTS (and it's
required by the spec in any case). As far as why CBC is being used
instead of CTS, the only reason I can think of is the one you posted.
Perhaps there was some hardware or software configureation where
cbc(aes) was hardware accelerated, and cts(cbc(aes)) would not be?
In any case, using cbc(aes) for all but the last two blocks, and using
cts(cbc(aes)) for the last two blocks, is identical to using
cts(cbc(aes)) for the whole encryption. So the only reason to do this
in the more complex way would be because for performance reasons.
- Ted
Powered by blists - more mailing lists