Re: AES leaks, cgd ciphers, and vector units in the kernel

To: <riastradh%NetBSD.org@localhost>
Subject: Re: AES leaks, cgd ciphers, and vector units in the kernel
From: <Paul.Koning%dell.com@localhost>
Date: Thu, 18 Jun 2020 13:18:13 +0000


> On Jun 17, 2020, at 7:36 PM, Taylor R Campbell <riastradh%NetBSD.org@localhost> wrote:
> 
> 
> [EXTERNAL EMAIL] 
> 
> ...
> 1. Replace the variable-time AES reference implementation we've been
>   using by constant-time AES software from Thomas Pornin's
>   high-quality BearSSL libary.
>  ...
>   Performance impact:  The cost is that constant-time AES software is
>     much slower -- cgd AES-CBC encryption throughput is reduced to
>     about 1/3, and decryption to about 1/2 (very roughly).  This is
>     bad, obviously, but it is mostly addressed by the next two parts.

That's a pretty steep price.  It is worth it for some, not clear if it's worth it for others.  If I understand right, these are local attacks, not network attacks.  Users may judge that the risk from local attacks is not sufficient to pay this price.

> 2. Add support for CPU AES instructions on Intel, AMD, VIA, and
>   aarch64 CPUs to implement the kernel's synchronous AES API,
>   including machinery to allow the kernel to use the CPU's vector
>   unit.

Are those constant-time instructions?  They would need to be, I assume, otherwise we're moving the problem to a different place.

> ...
> 3. Add an alternative cgd cipher Adiantum[3], which is built out of
>   AES (used only once per disk sector), Poly1305, NH, and XChaCha12,
>   and has been deployed by Google for disk encryption on lower-end
>   ARM systems.
> 
>   Security impact:  Adiantum generally provides better disk
>     encryption security than AES-CBC or AES-XTS because it encrypts
>     an entire disk sector at a time, rather than individual cipher
>     blocks independently like AES-XTS does or suffixes in units of
>     cipher blocks like AES-CBC does, so two snapshots of a disk
>     reveal less information with Adiantum than with AES-CBC or
>     AES-XTS.  Of course, Adiantum is a different cipher so you have
>     to create new cgd volumes if you want to use it.

Has this new system received enough scrutiny to justify its use in production?   I know AES but not the other bits, and in any case an insecure composite can be built out of secure building blocks.

	paul

Follow-Ups:
- Re: AES leaks, cgd ciphers, and vector units in the kernel
  - From: Taylor R Campbell

References:
- AES leaks, cgd ciphers, and vector units in the kernel
  - From: Taylor R Campbell

Prev by Date: Re: AES leaks, cgd ciphers, and vector units in the kernel
Next by Date: Re: AES leaks, cgd ciphers, and vector units in the kernel
Previous by Thread: Re: AES leaks, cgd ciphers, and vector units in the kernel
Next by Thread: Re: AES leaks, cgd ciphers, and vector units in the kernel
Indexes:

Home | Main Index | Thread Index | Old Index