linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Van Leeuwen, Pascal" <pvanleeuwen@rambus.com>
To: Andrei Botila <andrei.botila@oss.nxp.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>
Cc: "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [RFC] crypto: xts - limit accepted key length
Date: Mon, 2 Mar 2020 08:33:03 +0000	[thread overview]
Message-ID: <CY4PR0401MB3652818432E5A28BC5089E15C3E70@CY4PR0401MB3652.namprd04.prod.outlook.com> (raw)
In-Reply-To: <b8c0cbbf0cb94e389bae5ae3da77596d@DM6PR20MB2762.namprd20.prod.outlook.com>

> -----Original Message-----
> From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> On Behalf Of Andrei Botila
> Sent: Monday, March 2, 2020 9:16 AM
> To: Herbert Xu <herbert@gondor.apana.org.au>; David S. Miller <davem@davemloft.net>
> Cc: linux-crypto@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: [RFC] crypto: xts - limit accepted key length
>
> <<< External Email >>>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the
> sender/sender address and know the content is safe.
>
>
> From: Andrei Botila <andrei.botila@nxp.com>
>
> Currently in XTS generic implementation the valid key length is
> repesented by any length which is even. This is a deviation from
> the XTS-AES standard (IEEE 1619-2007) which allows keys equal
> to {2 x 16B, 2 x 32B} that correspond to underlying XTS-AES-{128, 256}
> algorithm. XTS-AES-192 is not supported as mentioned in commit
> b66ad0b7aa92 ("crypto: tcrypt - remove AES-XTS-192 speed tests")) or
> any other length beside these two specified.
>
> If this modification is accepted then other ciphers that use XTS mode
> will have to be modified (camellia, cast6, serpent, twofish).
>
> Signed-off-by: Andrei Botila <andrei.botila@nxp.com>
> ---
>  include/crypto/xts.h | 13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/include/crypto/xts.h b/include/crypto/xts.h
> index 0f8dba69feb4..26e764a5ae46 100644
> --- a/include/crypto/xts.h
> +++ b/include/crypto/xts.h
> @@ -4,6 +4,7 @@
>
>  #include <crypto/b128ops.h>
>  #include <crypto/internal/skcipher.h>
> +#include <crypto/aes.h>
>  #include <linux/fips.h>
>
>  #define XTS_BLOCK_SIZE 16
> @@ -12,10 +13,10 @@ static inline int xts_check_key(struct crypto_tfm *tfm,
>                                 const u8 *key, unsigned int keylen)
>  {
>         /*
> -        * key consists of keys of equal size concatenated, therefore
> -        * the length must be even.
> +        * key consists of keys of equal size concatenated, possible
> +        * values are 32 or 64 bytes.
>          */
> -       if (keylen % 2)
> +       if (keylen != 2 * AES_MIN_KEY_SIZE && keylen != 2 * AES_MAX_KEY_SIZE)
>                 return -EINVAL;
>
>         /* ensure that the AES and tweak key are not identical */
> @@ -29,10 +30,10 @@ static inline int xts_verify_key(struct crypto_skcipher *tfm,
>                                  const u8 *key, unsigned int keylen)
>  {
>         /*
> -        * key consists of keys of equal size concatenated, therefore
> -        * the length must be even.
> +        * key consists of keys of equal size concatenated, possible
> +        * values are 32 or 64 bytes.
>          */
> -       if (keylen % 2)
> +       if (keylen != 2 * AES_MIN_KEY_SIZE && keylen != 2 * AES_MAX_KEY_SIZE)
>                 return -EINVAL;
>
>         /* ensure that the AES and tweak key are not identical */
> --
> 2.17.1

Hmm ... in principle IEEE-1619 also defines XTS *only* for AES. So by that  same
reasoning, you should also not allow any usage of XTS beyond AES. Yet it is
actually being actively used(?) with other ciphers in the Linux kernel. Which is
not wrong perse, as the construct works with any block cipher with a 128 bit
block size. And is secure as long as that blockcipher is secure.

So why not allow 192 bit AES keys? Or some keysize that some other algorithm
may require, as I'm not sure all ciphers it is used with have 128 or 256 bit keys.

The modulo 2 check was just to ensure you indeed provided 2 full cipher keys,
any other error checking was deferred to the cipher algorithm's setkey.

Note that such a change would also allow all hardware drivers implementing
xts to follow suit and report an error, otherwise they will fail the selftests ...

Regards,
Pascal van Leeuwen
Silicon IP Architect Multi-Protocol Engines, Rambus Security
Rambus ROTW Holding BV
+31-73 6581953

Note: The Inside Secure/Verimatrix Silicon IP team was recently acquired by Rambus.
Please be so kind to update your e-mail address book with my new e-mail address.


** This message and any attachments are for the sole use of the intended recipient(s). It may contain information that is confidential and privileged. If you are not the intended recipient of this message, you are prohibited from printing, copying, forwarding or saving it. Please delete the message and attachments and notify the sender immediately. **

Rambus Inc.<http://www.rambus.com>

       reply	other threads:[~2020-03-02  8:33 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <b8c0cbbf0cb94e389bae5ae3da77596d@DM6PR20MB2762.namprd20.prod.outlook.com>
2020-03-02  8:33 ` Van Leeuwen, Pascal [this message]
2020-03-03 12:29   ` [RFC] crypto: xts - limit accepted key length Andrei Botila
2020-03-03 12:35   ` Milan Broz
2020-03-03 13:03     ` Van Leeuwen, Pascal
     [not found]   ` <c69cebf0d6cb48ff93389d73dea6ba3e@DM6PR20MB2762.namprd20.prod.outlook.com>
2020-03-03 13:09     ` Van Leeuwen, Pascal
2020-03-05 15:22       ` Horia Geantă
     [not found]       ` <a9b2a676329c4905be6efe088cbb7663@DM6PR20MB2762.namprd20.prod.outlook.com>
2020-03-05 16:48         ` Van Leeuwen, Pascal
2020-03-02  8:16 Andrei Botila

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CY4PR0401MB3652818432E5A28BC5089E15C3E70@CY4PR0401MB3652.namprd04.prod.outlook.com \
    --to=pvanleeuwen@rambus.com \
    --cc=andrei.botila@oss.nxp.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).