lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2131432.1704991328@warthog.procyon.org.uk>
Date: Thu, 11 Jan 2024 16:42:08 +0000
From: David Howells <dhowells@...hat.com>
To: Herbert Xu <herbert@...dor.apana.org.au>,
    Chuck Lever III <chuck.lever@...cle.com>
cc: dhowells@...hat.com, Jeff Layton <jlayton@...nel.org>,
    linux-afs@...ts.infradead.org, linux-nfs@...r.kernel.org,
    linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Rebuilding at least part of my krb5 crypto lib on crypto-aead

Hi Herbert, Chuck,

I've been thinking more on how I might go about rebuilding at least part of my
krb5 crypto library on top of the AEAD template.

I don't think it makes sense to try and put the entirety of it in there.
There are functions that completely don't fit (such as key generation) and the
catalogue of Kerberos type values and associated parameters.

Also, I'm not sure it makes sense to try and squeeze the Integrity-type
operations get_mic and verify_mic as AEAD.  get_mic might work as AEAD, but
all a wrapper would add is to emplace the checksum into ciphertext buffer.
The actual checksumming is handled by a SHASH algorithm perfectly well.
verify_mic doesn't really make sense as it has no output other than "yes/no" -
and so is also handled fine by a SHASH algorithm.

Where it does make sense is at the core of the encrypt/decrypt ops where I
have four compound ops to choose from:

	- encrypt-then-hash
	- hash-then-decrypt
	- hash-then-encrypt
	- decrypt-then-hash

These can conceivably be hardware optimised to do both parts of the op
simultaneously.  I *think* I've seen a suggestion that x86_64 AVX has
sufficient registers available to do both AES and SHA simultaneously, say.

The question I then have is this: How do I parameterise the crypto algorithm
inside AEAD?  Can I do something like:

	cipher = crypto_alloc_sync_aead("enc-then-hash(cts(cbc(camellia)),cmac(camellia))");

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ