Re: [Cfrg] Question about the order of hashing
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 05 January 2012 16:27 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7137721F84DE for <cfrg@ietfa.amsl.com>; Thu, 5 Jan 2012 08:27:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.924
X-Spam-Level:
X-Spam-Status: No, score=-5.924 tagged_above=-999 required=5 tests=[AWL=-0.675, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLON691JcsYp for <cfrg@ietfa.amsl.com>; Thu, 5 Jan 2012 08:27:12 -0800 (PST)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id D4E4321F84D2 for <cfrg@irtf.org>; Thu, 5 Jan 2012 08:27:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=sfluhrer@cisco.com; l=3576; q=dns/txt; s=iport; t=1325780833; x=1326990433; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=KJgsJmY8esSRpg/AB3Cr1l+UB7GcH8pS5IrWoyJChas=; b=YhhAkL8BjErNuqkYAxQ35IJi7nAdqlbgDxoBvLMGokS+hmhJBDygVFt6 YtmZG/ljcxZH7baIHwlSBPHaA+tO3rUFpoZXl26Bvb8GBtYedj0Uj4mI+ SAq5SrKV7Ia+2jGmRw2VYd78cJJyC8EJh8DKwpW5NJMKz4df07c3Q5xl8 c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ah8FAMjOBU+rRDoG/2dsb2JhbABCDoF3qniBBYFyAQEBBBIBHQo/DAQCAQgOAwQBAQEKBhcBBgFFCQgBAQQBCQkIGp87AZ4Tiy5jBIg5nktY
X-IronPort-AV: E=Sophos;i="4.71,462,1320624000"; d="scan'208";a="23963411"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by mtv-iport-2.cisco.com with ESMTP; 05 Jan 2012 16:26:55 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id q05GQtbu004318; Thu, 5 Jan 2012 16:26:55 GMT
Received: from xmb-sjc-23e.amer.cisco.com ([128.107.191.15]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 5 Jan 2012 08:26:55 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 05 Jan 2012 08:26:53 -0800
Message-ID: <EE0C2F9E065E634B84FC3BE36CF8A4B2087DE600@xmb-sjc-23e.amer.cisco.com>
In-Reply-To: <5C0E5BE9-FE11-46BD-9D91-08FBE0299F10@checkpoint.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Cfrg] Question about the order of hashing
Thread-Index: AczLixWdboFGgb0mTuaGb+2KYIDM+AAN8Krw
References: <5E6BDD30-3EB8-4FBA-826E-4A44DED36283@checkpoint.com><49D24499-1C16-44C4-84C2-36F94F95235C@cs.columbia.edu> <5C0E5BE9-FE11-46BD-9D91-08FBE0299F10@checkpoint.com>
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Yoav Nir <ynir@checkpoint.com>, Steven Bellovin <smb@cs.columbia.edu>
X-OriginalArrivalTime: 05 Jan 2012 16:26:55.0260 (UTC) FILETIME=[D6AE1DC0:01CCCBC6]
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Question about the order of hashing
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 16:27:13 -0000
> -----Original Message----- > From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of > Yoav Nir > Sent: Thursday, January 05, 2012 4:19 AM > To: Steven Bellovin > Cc: cfrg@irtf.org > Subject: Re: [Cfrg] Question about the order of hashing > > > On Jan 5, 2012, at 11:10 AM, Steven Bellovin wrote: > > > > > On Jan 5, 2012, at 2:29 35AM, Yoav Nir wrote: > > > >> Hi. > >> > >> When using keyed hash functions such as HMAC, GHash, and CBC-MAC, > does the order of the items being concatenated and hashed make any > difference to the security properties of the keyed hash? > >> > >> IOW, does changing HMAC(k, a||b) into HMAC(k, b||a) change the > security properties. > >> > >> My motivation for this question is that I would like to propose a > variant for IPsec where the sequence numbers are hashed after the > payload rather than before it. Different size packets take different > times to hash, so if we try to parallelize IPsec processing, > arbitrarily many packets may finish processing before a large single > packet has finished processing. > >> > >> IPsec emitters are required to emit the packets in order of the > sequence numbers, but since the sequence numbers (which are sent in the > clear) are hashed first, they have to be allocated before hashing > begins. By moving them to the end of the hash, I can allocate the > sequence number after having hashed most of the packet, and have nearly > constant-time processing after allocating the sequence number. > >> > >> So is this scheme I'm proposing save, or would it introduce some > major vulnerability. > >> > > What is your traffic model? If it's a single TCP stream, I think > you'll introduce > > performance problems at that layer if you're sending packets out of > TCP order. > > With a single TCP stream that is transferring a lot of data, all > packets tend to be the same size - that of the MSS. My model is a lot > of packets, some UDP, some TCP, belonging to multiple streams. > > My implementation would place every TCP stream on a single processor, > but that's because my implementation is also a firewall. This won't > help cases where all (or most) traffic is a single TCP stream, but > parallelizing can help where you have multiple streams or packets under > the same SA. Yoav, might I point out that with ESP-GCM (and GMAC), you can actually compute things out of order. That is, you can compute the entire encrypted data and ICV field assuming a sequence number of 0, and afterwards figure out how to adjust the ICV for the actual sequence number. This adjustment does involve computing H**n (where H is an internal GCM value derived from the key, and n is the packet length in 16 byte increments, and the multiplications are GF(2**128) field multiplications). Computing this is logarithmic time, not constant (unless you precompute all the possible H**n values; there's about 100 of them for standard MTU sizes), but is certainly closer to constant what you're originally looking at with the standard HMAC authentication. So, what's the benefit of putting up with this complexity? Well, you can basically get what you want with standard (RFC-compliant) protocols. So, you can implement what you want without asking anyone else to do anything (well, other than implement the GCM RFC, I suppose). I share Steve's concerns about sending packets out of order (my personal worry would be video), but you can implement it yourself, and see in practice if it works well.
- [Cfrg] Question about the order of hashing Yoav Nir
- Re: [Cfrg] Question about the order of hashing Steven Bellovin
- Re: [Cfrg] Question about the order of hashing Yoav Nir
- Re: [Cfrg] Question about the order of hashing Thomas Pornin
- Re: [Cfrg] Question about the order of hashing Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Question about the order of hashing David McGrew
- Re: [Cfrg] Question about the order of hashing Hugo Krawczyk