[dm-crypt] Adiantum and integrity safe?

[dm-crypt] Adiantum and integrity safe?

[Kristian Klausen]

Hi

I have a weak Intel Atom(N450) server and three external HDDs. I want to use the HDDs in RAID 5 with encryption  and integrity[1].

The Atom CPU is rather weak:
#           Algorithm |  Key |  Encryption |  Decryption
aes-xts                  256b    36.5 MiB/s   37.0 MiB/s
xchacha12,aes-adiantum   256b    83.4 MiB/s   84.3 MiB/s
So I want to use Adiantum, is it safe to combine them?
Ex[2][3]: cryptsetup luksFormat --type luks2 <device> --cipher xchacha12,aes-adiantum --integrity poly1305

[1] https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb
[2] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
[3] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes

Regards
Kristian Klausen

Re: [dm-crypt] Adiantum and integrity safe?

[Arno Wagner]

Hi Kristian,

that depends on your attacker model. In principle, DJB has
done very solid work in the past, and Salsa20 has seen at 
least reasonable cryptoanalysis. XChaCha12 should still have
enought rounds to be secure for a while. The best attacks on 
ChaCha seem to work only up to 7 rounds, AFAIK, and has 
something like 2^250 effort.

So, for almost all uses, this should provide pretty good 
security. If you are acually somebody in the class of
Assange/BinLaden/etc., where the NSA will invest real 
effort to get into the crypto, or in a comparable situation, 
it would be better to use the mainstream, which has seen 
significantly more crypto-analyses efforts.

Regards,
Arno



On Tue, May 14, 2019 at 12:17:01 CEST, Kristian Klausen wrote:
> Hi
> 
> I have a weak Intel Atom(N450) server and three external HDDs.  I want to
> use the HDDs in RAID 5 with encryption  and integrity[1].
> 
> The Atom CPU is rather weak:
> #           Algorithm |  Key |  Encryption |  Decryption
> aes-xts                  256b    36.5 MiB/s   37.0 MiB/s
> xchacha12,aes-adiantum   256b    83.4 MiB/s   84.3 MiB/s
>
> So I want to use Adiantum, is it safe to combine them?
>
> Ex[2][3]: cryptsetup luksFormat --type luks2 <device> --cipher xchacha12,aes-adiantum --integrity poly1305
> 
> [1] https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb
> [2] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
> [3] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes
> 
> Regards
> Kristian Klausen
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] Adiantum and integrity safe?

[Milan Broz]

On 14/05/2019 12:17, Kristian Klausen wrote:
> I have a weak Intel Atom(N450) server and three external HDDs. I want to use the HDDs in RAID 5 with encryption  and integrity[1].
> 
> The Atom CPU is rather weak:
> #           Algorithm |  Key |  Encryption |  Decryption
> aes-xts                  256b    36.5 MiB/s   37.0 MiB/s
> xchacha12,aes-adiantum   256b    83.4 MiB/s   84.3 MiB/s
> So I want to use Adiantum, is it safe to combine them?
> Ex[2][3]: cryptsetup luksFormat --type luks2 <device> --cipher xchacha12,aes-adiantum --integrity poly1305

Hi,

this combination will not work.

Adiantum is fast, but integrity checking will slow it down, so these requirements are going againts themselves.

But thew problem is technical here:

- the proper parameter is "--cipher xchacha12,aes-adiantum-IV" (IV is plain64 for non-integrity mode,
but should be random for integrity protection modes)

- the "poly1305" authenticator is intended to be used with chacha20 through RFC7539 wrapper,
so it will try to wrap Adiantum using the RFC7539 and it is not supported.
(Cipher test will return fail because constructed kernel cipher string is not supported.)

(The intended use was --cipher chacha20-random --integrity poly1305, but it will be quite slow here.)

- You should be able to use Adiantum with other authentication tags (like --integrity hmac-sha256)
but it will be slow on Atom.


If you do not need authenticated encryption, but just add crc32 integrity checking, maybe stacking
RAID over dm-integrity (using integritysetup) will work better (with optional LUKS layer on top using
fast Adiantum cipher).

There are currently some experiments with new bitmap mode in dm-integrity (will be supported by next
integritysetup) that are intended exactly for this RAID stacking scenario, but it is not stable yet.


Milan


> 
> [1] https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb
> [2] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
> [3] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes
> 
> Regards
> Kristian Klausen
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
> 

Re: [dm-crypt] Adiantum and integrity safe?

[Kristian Klausen]

On 15.05.2019 08.38, Milan Broz wrote:
> On 14/05/2019 12:17, Kristian Klausen wrote:
>> I have a weak Intel Atom(N450) server and three external HDDs. I want to use the HDDs in RAID 5 with encryption  and integrity[1].
>>
>> The Atom CPU is rather weak:
>> #           Algorithm |  Key |  Encryption |  Decryption
>> aes-xts                  256b    36.5 MiB/s   37.0 MiB/s
>> xchacha12,aes-adiantum   256b    83.4 MiB/s   84.3 MiB/s
>> So I want to use Adiantum, is it safe to combine them?
>> Ex[2][3]: cryptsetup luksFormat --type luks2 <device> --cipher xchacha12,aes-adiantum --integrity poly1305
> Hi,
>
> this combination will not work.
>
> Adiantum is fast, but integrity checking will slow it down, so these requirements are going againts themselves.
>
> But thew problem is technical here:
>
> - the proper parameter is "--cipher xchacha12,aes-adiantum-IV" (IV is plain64 for non-integrity mode,
> but should be random for integrity protection modes)
>
> - the "poly1305" authenticator is intended to be used with chacha20 through RFC7539 wrapper,
> so it will try to wrap Adiantum using the RFC7539 and it is not supported.
> (Cipher test will return fail because constructed kernel cipher string is not supported.)
>
> (The intended use was --cipher chacha20-random --integrity poly1305, but it will be quite slow here.)
>
> - You should be able to use Adiantum with other authentication tags (like --integrity hmac-sha256)
> but it will be slow on Atom.
Thanks for the very thorough answer.

I just did some benchmarking*:
aes-xts-plain64                                        | 17,8 MB/s
xchacha12,aes-adiantum-plain64                         | 22,5 MB/s
xchacha20,aes-adiantum-plain64                         | 24,6 MB/s
xchacha20,aes-adiantum-plain64 --integrity hmac-sha256 | 7,3 MB/s 
(around the same with --integrity-no-journal)
As you can see the Atom is weak.

I also tried plain integrity:
with journal    | 11,2 MB/s
without journal | 32 MB/s without journal
without journal and xchacha20,aes-adiantum-plain64 ontop | 19,1 MB/s

I'm not sure how costly RAID-5 is, so it could be even worse.
So I'm probably going with either dm-integrity -> mdraid or dm-integrity 
-> mdraid -> dm-crypt.

*:
truncate -s 500M disk1.img
dd if=/dev/urandom of=key.bin bs=512 count=1

sudo cryptsetup luksFormat -q --type luks2 --cipher <cipher> disk1.img 
key.bin
sudo cryptsetup luksOpen disk1.img disk1luks --key-file key.bin

# integrity only
#sudo integritysetup format disk1.img
#sudo integritysetup open disk1.img disk1integrity
#sudo dd if=/dev/zero of=/dev/mapper/disk1integrity bs=1M oflag=direct 
status=progress

# crypt ontop
#sudo cryptsetup luksFormat -q --type luks2 --cipher 
xchacha20,aes-adiantum-plain64 /dev/mapper/disk1integrity key.bin
#sudo cryptsetup luksOpen /dev/mapper/disk1integrity disk1luks 
--key-file key.bin

sudo dd if=/dev/zero of=/dev/mapper/disk1luks bs=1M oflag=direct 
status=progress
>
> If you do not need authenticated encryption, but just add crc32 integrity checking, maybe stacking
> RAID over dm-integrity (using integritysetup) will work better (with optional LUKS layer on top using
> fast Adiantum cipher).
>
> There are currently some experiments with new bitmap mode in dm-integrity (will be supported by next
> integritysetup) that are intended exactly for this RAID stacking scenario, but it is not stable yet.
>
>
> Milan
>
>
>> [1] https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb
>> [2] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
>> [3] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes
>>
>> Regards
>> Kristian Klausen
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> https://www.saout.de/mailman/listinfo/dm-crypt
>>
Kristian