[dm-crypt] Is AES-GCM still a bad idea?

[dm-crypt] Is AES-GCM still a bad idea?

[Alex Lieflander]

Hello,

My situation is quite similar to a thread posted a few months ago ("AEAD, recommended alogs and some more questions”), but it was pretty long and I don’t think it got any responses.

I’m hoping that a simplified version might be more approachable. Partial answers are welcome as well.

1) Is aes-gcm-random still unsuitable for “normal” use?
2) If so, are there any plans or estimates for when this might be improved/fixed?

Thanks,
Alex Lieflander
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de

[dm-crypt] Re: Is AES-GCM still a bad idea?

[Milan Broz]

On 11/28/21 06:50, Alex Lieflander wrote:
> Hello,
> 
> My situation is quite similar to a thread posted a few months ago ("AEAD, recommended alogs and some more questions”), but it was pretty long and I don’t think it got any responses.
> 
> I’m hoping that a simplified version might be more approachable. Partial answers are welcome as well.
> 
> 1) Is aes-gcm-random still unsuitable for “normal” use?
> 2) If so, are there any plans or estimates for when this might be improved/fixed?

I think the best option for now is perhaps to use AEGIS ("--cipher aegis128-random --key-size 128 --integrity aead" in cryptsetup notation).

Note that AEGIS256 was removed from recent kernels, see
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=520c1993bbe620e39fd93de1a01b9e0dc0b97aa6

Also see https://github.com/jedisct1/draft-aegis-aead

But still, AEAD (authenticated encryption) in LUKS2 is experimental, so it depends what is the "normal" use for you.

All this really depends what kernel crypto API provides, if we have some better option there, it is trivial to add to cryptsetup.

Milan
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de

[dm-crypt] Re: Is AES-GCM still a bad idea?

[Alex Lieflander]

Thanks for the prompt response!

> On Nov 28, 2021, at 9:58 AM, Milan Broz wrote:
>> On 11/28/21 06:50, Alex Lieflander wrote:
>> Hello,
>> My situation is quite similar to a thread posted a few months ago ("AEAD, recommended alogs and some more questions”), but it was pretty long and I don’t think it got any responses.
>> I’m hoping that a simplified version might be more approachable. Partial answers are welcome as well.
>> 1) Is aes-gcm-random still unsuitable for “normal” use?
>> 2) If so, are there any plans or estimates for when this might be improved/fixed?
> 
> I think the best option for now is perhaps to use AEGIS ("--cipher aegis128-random --key-size 128 --integrity aead" in cryptsetup notation).
> 
> Note that AEGIS256 was removed from recent kernels, see
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=520c1993bbe620e39fd93de1a01b9e0dc0b97aa6
> 
> Also see https://github.com/jedisct1/draft-aegis-aead

I appreciate the suggestion, but I was really hoping for something that supported 192-bit AES encryption.

> But still, AEAD (authenticated encryption) in LUKS2 is experimental, so it depends what is the "normal" use for you.
> 
> All this really depends what kernel crypto API provides, if we have some better option there, it is trivial to add to cryptsetup.
> 
> Milan

Speaking of which, does cryptsetup support AES-GCM-SIV? I seem to be able to create devices with "--cipher aes-gcm-siv --integrity aead” but I can’t open them.
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de

[dm-crypt] Re: Is AES-GCM still a bad idea?

[Milan Broz]

On 11/28/21 21:35, Alex Lieflander wrote:
> Thanks for the prompt response!
> 
>> On Nov 28, 2021, at 9:58 AM, Milan Broz wrote:
>>> On 11/28/21 06:50, Alex Lieflander wrote:
>>> Hello,
>>> My situation is quite similar to a thread posted a few months ago ("AEAD, recommended alogs and some more questions”), but it was pretty long and I don’t think it got any responses.
>>> I’m hoping that a simplified version might be more approachable. Partial answers are welcome as well.
>>> 1) Is aes-gcm-random still unsuitable for “normal” use?
>>> 2) If so, are there any plans or estimates for when this might be improved/fixed?
>>
>> I think the best option for now is perhaps to use AEGIS ("--cipher aegis128-random --key-size 128 --integrity aead" in cryptsetup notation).
>>
>> Note that AEGIS256 was removed from recent kernels, see
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=520c1993bbe620e39fd93de1a01b9e0dc0b97aa6
>>
>> Also see https://github.com/jedisct1/draft-aegis-aead
> 
> I appreciate the suggestion, but I was really hoping for something that supported 192-bit AES encryption.

We had AEGIS256 there, but as you can see, it was removed.

> 
>> But still, AEAD (authenticated encryption) in LUKS2 is experimental, so it depends what is the "normal" use for you.
>>
>> All this really depends what kernel crypto API provides, if we have some better option there, it is trivial to add to cryptsetup.
>>
>> Milan
> 
> Speaking of which, does cryptsetup support AES-GCM-SIV? I seem to be able to create devices with "--cipher aes-gcm-siv --integrity aead” but I can’t open them.

As I said, it must be supported by Linux kernel API... GCM-SIV is not supported yet (only GCM).

Cryptsetup currently can check only for non-AEAD algorithms support in kernel before formatting, that's why it fails too late there (on open)
That should fixed, eventually.

Milan

_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de