From: Milan Broz <gmazyland@gmail.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Milan Broz <gmazyland@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
linux-fscrypt@vger.kernel.org, Eric Biggers <ebiggers@kernel.org>,
Gilad Ben-Yossef <gilad@benyossef.com>,
device-mapper development <dm-devel@redhat.com>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>
Subject: Re: [RFC PATCH 0/3] crypto: switch to shash for ESSIV generation
Date: Mon, 17 Jun 2019 19:05:51 +0200 [thread overview]
Message-ID: <af1b7ea1-bc98-06ff-e46c-945e6bae20d8@gmail.com> (raw)
In-Reply-To: <CAKv+Gu82BLPWrX1UzUBLf7UB+qJT6ZPtkvJ2Sa9t28OpXArhnw@mail.gmail.com>
On 17/06/2019 16:39, Ard Biesheuvel wrote:
>>
>> In other words, if you add some additional limit, we are breaking backward compatibility.
>> (Despite the configuration is "wrong" from the security point of view.)
>>
>
> Yes, but breaking backward compatibility only happens if you break
> something that is actually being *used*. So sure,
> xts(aes)-essiv:sha256 makes no sense but people use it anyway. But is
> that also true for, say, gcm(aes)-essiv:sha256 ?
These should not be used. The only way when ESSIV can combine with AEAD mode
is when you combine length-preserving mode with additional integrity tag, for example
# cryptsetup luksFormat -c aes-cbc-essiv:sha256 --integrity hmac-sha256 /dev/sdb
it will produce this dm-crypt cipher spec:
capi:authenc(hmac(sha256),cbc(aes))-essiv:sha256
the authenc(hmac(sha256),cbc(aes)) is direct crypto API cipher composition, the essiv:sha256
IV is processed inside dm-crypt as IV.
So if authenc() composition is problem, then yes, I am afraid these can be used in reality.
But for things like gcm(aes)-essiv:sha256 (IOW real AEAD mode with ESSIV) - these are
not supported by cryptsetup (we support only random IV in this case), so these should
not be used anywhere.
Milan
WARNING: multiple messages have this Message-ID (diff)
From: Milan Broz <gmazyland@gmail.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Milan Broz <gmazyland@gmail.com>
Cc: Gilad Ben-Yossef <gilad@benyossef.com>,
Eric Biggers <ebiggers@kernel.org>,
device-mapper development <dm-devel@redhat.com>,
linux-fscrypt@vger.kernel.org,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [RFC PATCH 0/3] crypto: switch to shash for ESSIV generation
Date: Mon, 17 Jun 2019 19:05:51 +0200 [thread overview]
Message-ID: <af1b7ea1-bc98-06ff-e46c-945e6bae20d8@gmail.com> (raw)
In-Reply-To: <CAKv+Gu82BLPWrX1UzUBLf7UB+qJT6ZPtkvJ2Sa9t28OpXArhnw@mail.gmail.com>
On 17/06/2019 16:39, Ard Biesheuvel wrote:
>>
>> In other words, if you add some additional limit, we are breaking backward compatibility.
>> (Despite the configuration is "wrong" from the security point of view.)
>>
>
> Yes, but breaking backward compatibility only happens if you break
> something that is actually being *used*. So sure,
> xts(aes)-essiv:sha256 makes no sense but people use it anyway. But is
> that also true for, say, gcm(aes)-essiv:sha256 ?
These should not be used. The only way when ESSIV can combine with AEAD mode
is when you combine length-preserving mode with additional integrity tag, for example
# cryptsetup luksFormat -c aes-cbc-essiv:sha256 --integrity hmac-sha256 /dev/sdb
it will produce this dm-crypt cipher spec:
capi:authenc(hmac(sha256),cbc(aes))-essiv:sha256
the authenc(hmac(sha256),cbc(aes)) is direct crypto API cipher composition, the essiv:sha256
IV is processed inside dm-crypt as IV.
So if authenc() composition is problem, then yes, I am afraid these can be used in reality.
But for things like gcm(aes)-essiv:sha256 (IOW real AEAD mode with ESSIV) - these are
not supported by cryptsetup (we support only random IV in this case), so these should
not be used anywhere.
Milan
next prev parent reply other threads:[~2019-06-17 17:05 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-14 8:34 [RFC PATCH 0/3] crypto: switch to shash for ESSIV generation Ard Biesheuvel
2019-06-14 8:34 ` [RFC PATCH 1/3] crypto: essiv - create a new shash template for IV generation Ard Biesheuvel
2019-06-14 8:34 ` [RFC PATCH 2/3] dm crypt: switch to essiv shash Ard Biesheuvel
2019-06-14 8:34 ` [RFC PATCH 3/3] fscrypt: switch to ESSIV shash Ard Biesheuvel
2019-06-15 18:19 ` [RFC PATCH 0/3] crypto: switch to shash for ESSIV generation Milan Broz
2019-06-15 18:19 ` Milan Broz
2019-06-16 19:13 ` Ard Biesheuvel
2019-06-16 19:13 ` Ard Biesheuvel
2019-06-16 21:09 ` Eric Biggers
2019-06-16 21:09 ` [dm-devel] " Eric Biggers
2019-06-16 20:44 ` Eric Biggers
2019-06-16 20:44 ` Eric Biggers
2019-06-17 8:51 ` Gilad Ben-Yossef
2019-06-17 8:51 ` Gilad Ben-Yossef
2019-06-17 9:15 ` Ard Biesheuvel
2019-06-17 9:15 ` Ard Biesheuvel
2019-06-17 9:20 ` Herbert Xu
2019-06-17 9:20 ` Herbert Xu
2019-06-17 9:24 ` Ard Biesheuvel
2019-06-17 9:24 ` Ard Biesheuvel
2019-06-17 10:39 ` Milan Broz
2019-06-17 10:39 ` Milan Broz
2019-06-17 10:58 ` Ard Biesheuvel
2019-06-17 10:58 ` Ard Biesheuvel
2019-06-17 13:59 ` Ard Biesheuvel
2019-06-17 13:59 ` Ard Biesheuvel
2019-06-17 14:35 ` Milan Broz
2019-06-17 14:35 ` Milan Broz
2019-06-17 14:39 ` Ard Biesheuvel
2019-06-17 14:39 ` Ard Biesheuvel
2019-06-17 17:05 ` Milan Broz [this message]
2019-06-17 17:05 ` Milan Broz
2019-06-17 17:29 ` Ard Biesheuvel
2019-06-17 17:29 ` Ard Biesheuvel
2019-06-17 17:52 ` Milan Broz
2019-06-17 17:52 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af1b7ea1-bc98-06ff-e46c-945e6bae20d8@gmail.com \
--to=gmazyland@gmail.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dm-devel@redhat.com \
--cc=ebiggers@kernel.org \
--cc=gilad@benyossef.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.