* [dm-crypt] Adiantum and integrity safe?
@ 2019-05-14 10:17 Kristian Klausen
2019-05-14 19:59 ` Arno Wagner
2019-05-15 6:38 ` Milan Broz
0 siblings, 2 replies; 4+ messages in thread
From: Kristian Klausen @ 2019-05-14 10:17 UTC (permalink / raw)
To: dm-crypt
Hi
I have a weak Intel Atom(N450) server and three external HDDs. I want to use the HDDs in RAID 5 with encryption and integrity[1].
The Atom CPU is rather weak:
# Algorithm | Key | Encryption | Decryption
aes-xts 256b 36.5 MiB/s 37.0 MiB/s
xchacha12,aes-adiantum 256b 83.4 MiB/s 84.3 MiB/s
So I want to use Adiantum, is it safe to combine them?
Ex[2][3]: cryptsetup luksFormat --type luks2 <device> --cipher xchacha12,aes-adiantum --integrity poly1305
[1] https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb
[2] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
[3] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes
Regards
Kristian Klausen
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Adiantum and integrity safe?
2019-05-14 10:17 [dm-crypt] Adiantum and integrity safe? Kristian Klausen
@ 2019-05-14 19:59 ` Arno Wagner
2019-05-15 6:38 ` Milan Broz
1 sibling, 0 replies; 4+ messages in thread
From: Arno Wagner @ 2019-05-14 19:59 UTC (permalink / raw)
To: dm-crypt
Hi Kristian,
that depends on your attacker model. In principle, DJB has
done very solid work in the past, and Salsa20 has seen at
least reasonable cryptoanalysis. XChaCha12 should still have
enought rounds to be secure for a while. The best attacks on
ChaCha seem to work only up to 7 rounds, AFAIK, and has
something like 2^250 effort.
So, for almost all uses, this should provide pretty good
security. If you are acually somebody in the class of
Assange/BinLaden/etc., where the NSA will invest real
effort to get into the crypto, or in a comparable situation,
it would be better to use the mainstream, which has seen
significantly more crypto-analyses efforts.
Regards,
Arno
On Tue, May 14, 2019 at 12:17:01 CEST, Kristian Klausen wrote:
> Hi
>
> I have a weak Intel Atom(N450) server and three external HDDs. I want to
> use the HDDs in RAID 5 with encryption and integrity[1].
>
> The Atom CPU is rather weak:
> # Algorithm | Key | Encryption | Decryption
> aes-xts 256b 36.5 MiB/s 37.0 MiB/s
> xchacha12,aes-adiantum 256b 83.4 MiB/s 84.3 MiB/s
>
> So I want to use Adiantum, is it safe to combine them?
>
> Ex[2][3]: cryptsetup luksFormat --type luks2 <device> --cipher xchacha12,aes-adiantum --integrity poly1305
>
> [1] https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb
> [2] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
> [3] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes
>
> Regards
> Kristian Klausen
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Adiantum and integrity safe?
2019-05-14 10:17 [dm-crypt] Adiantum and integrity safe? Kristian Klausen
2019-05-14 19:59 ` Arno Wagner
@ 2019-05-15 6:38 ` Milan Broz
2019-05-15 22:28 ` Kristian Klausen
1 sibling, 1 reply; 4+ messages in thread
From: Milan Broz @ 2019-05-15 6:38 UTC (permalink / raw)
To: Kristian Klausen; +Cc: dm-crypt
On 14/05/2019 12:17, Kristian Klausen wrote:
> I have a weak Intel Atom(N450) server and three external HDDs. I want to use the HDDs in RAID 5 with encryption and integrity[1].
>
> The Atom CPU is rather weak:
> # Algorithm | Key | Encryption | Decryption
> aes-xts 256b 36.5 MiB/s 37.0 MiB/s
> xchacha12,aes-adiantum 256b 83.4 MiB/s 84.3 MiB/s
> So I want to use Adiantum, is it safe to combine them?
> Ex[2][3]: cryptsetup luksFormat --type luks2 <device> --cipher xchacha12,aes-adiantum --integrity poly1305
Hi,
this combination will not work.
Adiantum is fast, but integrity checking will slow it down, so these requirements are going againts themselves.
But thew problem is technical here:
- the proper parameter is "--cipher xchacha12,aes-adiantum-IV" (IV is plain64 for non-integrity mode,
but should be random for integrity protection modes)
- the "poly1305" authenticator is intended to be used with chacha20 through RFC7539 wrapper,
so it will try to wrap Adiantum using the RFC7539 and it is not supported.
(Cipher test will return fail because constructed kernel cipher string is not supported.)
(The intended use was --cipher chacha20-random --integrity poly1305, but it will be quite slow here.)
- You should be able to use Adiantum with other authentication tags (like --integrity hmac-sha256)
but it will be slow on Atom.
If you do not need authenticated encryption, but just add crc32 integrity checking, maybe stacking
RAID over dm-integrity (using integritysetup) will work better (with optional LUKS layer on top using
fast Adiantum cipher).
There are currently some experiments with new bitmap mode in dm-integrity (will be supported by next
integritysetup) that are intended exactly for this RAID stacking scenario, but it is not stable yet.
Milan
>
> [1] https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb
> [2] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
> [3] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes
>
> Regards
> Kristian Klausen
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Adiantum and integrity safe?
2019-05-15 6:38 ` Milan Broz
@ 2019-05-15 22:28 ` Kristian Klausen
0 siblings, 0 replies; 4+ messages in thread
From: Kristian Klausen @ 2019-05-15 22:28 UTC (permalink / raw)
To: Milan Broz; +Cc: dm-crypt
On 15.05.2019 08.38, Milan Broz wrote:
> On 14/05/2019 12:17, Kristian Klausen wrote:
>> I have a weak Intel Atom(N450) server and three external HDDs. I want to use the HDDs in RAID 5 with encryption and integrity[1].
>>
>> The Atom CPU is rather weak:
>> # Algorithm | Key | Encryption | Decryption
>> aes-xts 256b 36.5 MiB/s 37.0 MiB/s
>> xchacha12,aes-adiantum 256b 83.4 MiB/s 84.3 MiB/s
>> So I want to use Adiantum, is it safe to combine them?
>> Ex[2][3]: cryptsetup luksFormat --type luks2 <device> --cipher xchacha12,aes-adiantum --integrity poly1305
> Hi,
>
> this combination will not work.
>
> Adiantum is fast, but integrity checking will slow it down, so these requirements are going againts themselves.
>
> But thew problem is technical here:
>
> - the proper parameter is "--cipher xchacha12,aes-adiantum-IV" (IV is plain64 for non-integrity mode,
> but should be random for integrity protection modes)
>
> - the "poly1305" authenticator is intended to be used with chacha20 through RFC7539 wrapper,
> so it will try to wrap Adiantum using the RFC7539 and it is not supported.
> (Cipher test will return fail because constructed kernel cipher string is not supported.)
>
> (The intended use was --cipher chacha20-random --integrity poly1305, but it will be quite slow here.)
>
> - You should be able to use Adiantum with other authentication tags (like --integrity hmac-sha256)
> but it will be slow on Atom.
Thanks for the very thorough answer.
I just did some benchmarking*:
aes-xts-plain64 | 17,8 MB/s
xchacha12,aes-adiantum-plain64 | 22,5 MB/s
xchacha20,aes-adiantum-plain64 | 24,6 MB/s
xchacha20,aes-adiantum-plain64 --integrity hmac-sha256 | 7,3 MB/s
(around the same with --integrity-no-journal)
As you can see the Atom is weak.
I also tried plain integrity:
with journal | 11,2 MB/s
without journal | 32 MB/s without journal
without journal and xchacha20,aes-adiantum-plain64 ontop | 19,1 MB/s
I'm not sure how costly RAID-5 is, so it could be even worse.
So I'm probably going with either dm-integrity -> mdraid or dm-integrity
-> mdraid -> dm-crypt.
*:
truncate -s 500M disk1.img
dd if=/dev/urandom of=key.bin bs=512 count=1
sudo cryptsetup luksFormat -q --type luks2 --cipher <cipher> disk1.img
key.bin
sudo cryptsetup luksOpen disk1.img disk1luks --key-file key.bin
# integrity only
#sudo integritysetup format disk1.img
#sudo integritysetup open disk1.img disk1integrity
#sudo dd if=/dev/zero of=/dev/mapper/disk1integrity bs=1M oflag=direct
status=progress
# crypt ontop
#sudo cryptsetup luksFormat -q --type luks2 --cipher
xchacha20,aes-adiantum-plain64 /dev/mapper/disk1integrity key.bin
#sudo cryptsetup luksOpen /dev/mapper/disk1integrity disk1luks
--key-file key.bin
sudo dd if=/dev/zero of=/dev/mapper/disk1luks bs=1M oflag=direct
status=progress
>
> If you do not need authenticated encryption, but just add crc32 integrity checking, maybe stacking
> RAID over dm-integrity (using integritysetup) will work better (with optional LUKS layer on top using
> fast Adiantum cipher).
>
> There are currently some experiments with new bitmap mode in dm-integrity (will be supported by next
> integritysetup) that are intended exactly for this RAID stacking scenario, but it is not stable yet.
>
>
> Milan
>
>
>> [1] https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb
>> [2] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
>> [3] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes
>>
>> Regards
>> Kristian Klausen
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> https://www.saout.de/mailman/listinfo/dm-crypt
>>
Kristian
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-05-15 22:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-14 10:17 [dm-crypt] Adiantum and integrity safe? Kristian Klausen
2019-05-14 19:59 ` Arno Wagner
2019-05-15 6:38 ` Milan Broz
2019-05-15 22:28 ` Kristian Klausen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.