Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
"Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com> Wed, 04 January 2023 16:49 UTC
Return-Path: <Steve.Syfuhs@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AAB4C19E3A6 for <kitten@ietfa.amsl.com>; Wed, 4 Jan 2023 08:49:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjJKiZNJBHkY for <kitten@ietfa.amsl.com>; Wed, 4 Jan 2023 08:49:11 -0800 (PST)
Received: from MW2PR02CU002-vft-obe.outbound.protection.outlook.com (mail-westus2azon11023025.outbound.protection.outlook.com [52.101.49.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6122EC19E3A3 for <kitten@ietf.org>; Wed, 4 Jan 2023 08:49:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Lct19sk1fo3FI1QbKNFmX76mJy7PLh8seRbNug7fO1V0lRGEGf/cRuNqQUAEMywqXOIOztWaJfpdGKpU5kRdTa5mz5pJJplsQM7eBfrUOvtw9GX6F2EaprhYiKqt++n5vbg1mFV72z8kqzkReG+P8LO+YsZSvqH13AlHTiRBxX0Bfqb7r++B05TYqhnzVtwF4DcePmgp6Smd3pgV1tlvj1OgeVDSauOGg3aaU4LiHpxlTFd6T4nMS1abV62La8Z2sWt78NzwolT5b1n+YQAjb3pMwGde8QXV3ahAUIWF6hkQd93XYvCxVEeJ9l3jghA9gJFfsGZRCkLzo4qgDNu8cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SXIMpQbBb355ocXz+5gBqjdvtJCCmx2uSTxHdlXCPdE=; b=acI9LUbKgl/XL2EA/9JDEHuBEWfLV4Qirc8+r8oeJAnCmdmDLGCenbxFrqwtBPntclB//UzMLJ0ryrLLBKRwB1iuygMb2z4DNqU/k9FuQmf7G1U5jNgvVhDmibQfJVPDy2E9ov8JhuPfYkagcMmmw/UG02rKcLDkiCcQpJhc+hy8qbaEMU495qleoO12zkiR22yPK/oCkmF1fAA4tKyqxNSpMI4iJpCxVT8da2r8QBfQbNzLGl2gSUm+xYhwiOFfPOLQ6eX1QYdyZTrH8ca/iJew1EJhGXaannmRpuUqeXYABBsM79dy4CdAX3yDqbOx1sn8R5ejj2EbLFemRTJO5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SXIMpQbBb355ocXz+5gBqjdvtJCCmx2uSTxHdlXCPdE=; b=B+isCBYQ4YGjryHz6eGm/iCFvzUka1TCQyt/NUkZeCtbwxKrFOTDY6we+h5ANu7QGTsrFvF0KYfsdpyOzabR1AEJaMQuui8GSDWFubCuFXIyFDpQIKpmRvT+qLF7sNQucJrKF+j/BtR9KEkHKBz3CBpLeBj1qKjn36JsB0B5y6g=
Received: from MW4PR21MB1970.namprd21.prod.outlook.com (2603:10b6:303:70::14) by PH0PR21MB1909.namprd21.prod.outlook.com (2603:10b6:510:1a::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.4; Wed, 4 Jan 2023 16:49:08 +0000
Received: from MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::2f06:bfdf:f6d5:598]) by MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::2f06:bfdf:f6d5:598%6]) with mapi id 15.20.6002.005; Wed, 4 Jan 2023 16:49:08 +0000
From: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
To: Olga Kornievskaia <aglo@umich.edu>
CC: Jeffrey Altman <jaltman@secure-endpoints.com>, "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
Thread-Index: AQHZIFvZ1Q1/RaTzWECW7xdcL6+xza6Od9I5
Date: Wed, 04 Jan 2023 16:49:08 +0000
Message-ID: <MW4PR21MB1970DE557EECC969FA3F54EB9CF59@MW4PR21MB1970.namprd21.prod.outlook.com>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <CAN-5tyGMpwTCpo9cm25RuB4n8moOoiU35PrE4HRK+Yini=Lp8A@mail.gmail.com> <912e61a5-192c-626f-0a36-7001b567c212@secure-endpoints.com> <MW4PR21MB1970A436FA5DF2E76F815DFC9CF49@MW4PR21MB1970.namprd21.prod.outlook.com> <CAN-5tyE819exSnenGGiJo1f38EfAhnO99Pv2cq2C3rjF1b-LSg@mail.gmail.com>
In-Reply-To: <CAN-5tyE819exSnenGGiJo1f38EfAhnO99Pv2cq2C3rjF1b-LSg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-01-04T16:47:45.2715997Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR21MB1970:EE_|PH0PR21MB1909:EE_
x-ms-office365-filtering-correlation-id: 0c47c99f-c597-4810-7863-08daee739931
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8ebpSRsY1bZedQ+sjFpr2rvlu3YP5FbPHKfHXCCr1TtQsrgHUs+hmWcqw10XSUPunNN8pwkRkx6aaJucSPlOUfEdWURvabG72dNn2s0txRbIHHGeI7vI4C64A+mg42gtglT9cYyRrQ9EF0riY6kVR2L9I2G89pU7r5Rif4CkDIfC7o7zsNEkdNwbLwBcFXuqHtk4fJHgy0gBEt/1IboaJFNa0B8C9p5HIj1eBeoiwwJtkoObUVFJYFRSaXU2Q8/Y4eKcy9z0b7Bl653bfb2L1kAtTLCMDLsFz+gea4RMUg350XPCOtfDEVXleDWGqxpZZ99o0uyY6DsvBrGQWqWbg8COCn5uYsd9Hi5VwKVXHlS/AzheVSYIz83AWtCukvtJJKKn4w4KL3JK8Dt97BWO1uh86iCYNRL+vQMhMn234zrzKCrzk3QzxpiLDYW8RTeDMYOqFGRUKcSw6wXVaDrbK9CKygL0iRG+N+JkTKNH0DXXNfDzwLjYHwKo90PORTDIbCACOLegnNskkIzNG65J7kkLITXjcq8A559VD8gNEh0GFuN8N4mhxRn6umWC8z11B/G2iIdSgA+kMNMnDTPvjDS7c6zepdKWQ8upljTQJgL4xOxMNE8jLEWX9QE9UAIyrEf12fyVq8PPd7rFpkFQ0e0I2qCd5lSOrav8ENqRSVCl1Z5rlRzB+SbkgTK6RH8qknqeS3cMHKD7rw4M0WFxWt1nHuTYFQXmWQmqDCKU6weEBglQK74I+RfeXDOntWgyZoTuGoUAnmSk8Wq6rwSyfA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW4PR21MB1970.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(346002)(396003)(376002)(39860400002)(136003)(366004)(451199015)(38070700005)(86362001)(33656002)(41300700001)(10290500003)(54906003)(6916009)(76116006)(66446008)(4326008)(8676002)(64756008)(66946007)(66556008)(82950400001)(82960400001)(38100700002)(166002)(122000001)(53546011)(66476007)(6506007)(186003)(26005)(966005)(7696005)(478600001)(71200400001)(2906002)(5660300002)(8936002)(52536014)(8990500004)(316002)(55016003)(9686003)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iwfSfZdHPIZOTKgy9ki/QLL6mm3jhxCMwoOrfa97jx0WwE/dPlpXzqtJYJuGN5NcpVjR0KarjGSETip0QzVP/8ygXCo7l7wfLgN4bSFnHJ6wQrPpy07q+PwtMzv4RdwrVakftYnawWIx2D/bNmnGyfIPeTzHwSSvyj2ERmbUOzbnZZdX9xoviDt9hG/KzvUXaOq6WEW+/MsvwvoQHgCA/ui+1bl0wzxPBJ05QRCquP9HPA1Ax9mGU4/wFSF+O6eP5QcHgvlYF2OgvoOgPIlEZunQWHVtXrpONX2bHC7RMdAYCo4W/tzG1Lz6cgPPlntOa2Xef8l5nhbD+R1w6t0HCEhphUEA+VRJJp/ndY5aweXvX0hvq7kuGVZlKlrXRZNh2d3em0EV9p7k8qVGUG270CuqFlHf3LySYUaQL50UyHTXDjZRsNrS94lJcP9NtWH9ztZMcHYzGEwsoZKLEMZgy2kr253EGSi0j6a2VQIxkCIQTLi09ozgi5zb8UQMRQienszzl7Yxyi/5JaLPeT750qwJ+NFL/2/Tc0XfG9GPVCuhQR4KQwFCYWCi9xOsKkuCPaJyFExTbM2VGxsLgXc6q04SyEbUdywmCLmmVWIeepzo4faPTv/aBeTHUX6S4Fwq1t3nOpmB9rpDQ7Y6Lrb0lxl73CL48k14Q5Q/GRjYkPjMXr9YO7+V0yBtHY7aRZYsoVIVe/N0RUIvX06CnqfOd5mUkEkq5PkXWFNXpmasiv20E2RNUxe8EyuM/epGQYO+b1trFUXFiWXJeS+8RxrIycna62BxdGYysqdhvafy5zAST2quU2+ENvFqeAZYZ8TIVFzO9HG8WMoTy1BfMSNenQmgjBW7l6XyFl2YJbrXJVINB39y53dWAWMQ48UAg85NMOliQ5YWPJ61EW+X/EEEWwbLfCij5ixsp1Q514R2ijTtjstK2QoPZjN86I5viDxFp24PNmsrOjHAKpvpkoeU3f7jt04cHZ7jPvW3tKCHPGNyQuYt9YQrV7XYPS4Ao9YqyE/hKkylUpWnCifuUf1qTtIv8CdycuQ9tLLCkKZHn6J/AIoJ+Zq1keioAUnq3vFrSCT8WnZy2z7igvXRaEmU8C/NoQmXPG0Au6M8zJqWv5Pie/6nstNE8pvE6LuDNfKT4XFZFQwR6kQimokbW06cyimXIIyiuZVe6mnvwReBhftUgKjw/gB9c0Jt2wdYYtM3g+O/gYdEWmiOBF1OCdP0uPk0u1p3p3k+WxhphEK1qrq4mFl1DIlld7Xd3VM03KbKOl4vv1jKgfCrm2Be+z10tQd/bZ8pQhV3noASBbwWEj6cZXOGkZda2joSHakM3p8qzMNmfTHpn9KMP+TlBYIa1EGHiLssC9hqJrTu+boKk/UqzG/3bwlucVSh9T5Hcg1fDOVjCQ5JZoUhiCeIDB2asG9R1n2lA/OujaUWMYwaQnqRss1hbektU/zZXONf5LQXraieExrs061f6p3p+Z0o17HkfxpiEgzgL/5RsAndkAs6Cez6eNrQfr0CdrNlDxDAPeFB3NeqxVQ1UspnEQM/m1ncAtBcWqN2c+glD/+ysYd8rFH/f/MbGIe1EjbcbO6tjCt9BqVWunecAccu1zb/Cg==
Content-Type: multipart/alternative; boundary="_000_MW4PR21MB1970DE557EECC969FA3F54EB9CF59MW4PR21MB1970namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR21MB1970.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0c47c99f-c597-4810-7863-08daee739931
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jan 2023 16:49:08.4839 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vck+fS060xFesDfc/CGJPz2Mw/YMKx5XbuGRHPWbAxXZgviDcwf5w46+BoLSS+n40yHnaO3I4AB27Ka76vzhvg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR21MB1909
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/TbyVMoLAVOs45c1NVs9kKcd_FGM>
Subject: Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2023 16:49:15 -0000
Well, that's ultimately the question for a performance profiler to answer: does it even need offloading? CPU AES instructions can do CBC rather cheaply. ________________________________ From: Olga Kornievskaia <aglo@umich.edu> Sent: Wednesday, January 4, 2023 8:44:15 AM To: Steve Syfuhs (AP) <Steve.Syfuhs@microsoft.com> Cc: Jeffrey Altman <jaltman@secure-endpoints.com>; kitten@ietf.org <kitten@ietf.org> Subject: Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos [You don't often get email from aglo@umich.edu. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] I'm not aware of any NFS vendors that have been able to offloaded their Kerberos crypto work onto a card. I'd like to think it's not because nobody tried or that nobody wanted to speed up their Kerberos protected mounts. Again perhaps it's the lack of some info on my part. On Tue, Jan 3, 2023 at 3:09 PM Steve Syfuhs (AP) <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org> wrote: > > CTS is also "just" CBC with a bit of futzing of the first and last block, so hardware acceleration is supported on most devices. > ________________________________ > From: Kitten <kitten-bounces@ietf.org> on behalf of Jeffrey Altman <jaltman@secure-endpoints.com> > Sent: Tuesday, January 3, 2023 12:02:27 PM > To: Olga Kornievskaia (aglo@umich.edu) <aglo@umich.edu> > Cc: kitten@ietf.org <kitten@ietf.org> > Subject: [EXTERNAL] Re: [kitten] Question about AES mode in Kerberos > > [Some people who received this message don't often get email from jaltman@secure-endpoints.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > On 1/3/2023 2:51 PM, Olga Kornievskaia (aglo@umich.edu) wrote: > > > > Thank you for the clarification. Now I understand the GCM's unspoken > > role in RFC 3961. But I still feel wanting some sort of an explanation > > why CTS mode was chosen over GCM (by the working group as a whole). > > Simple answer. The initial draft of what would become RFC3962 was > published five years before Galois/Counter Mode (GCM) was invented. > > Jeffrey Altman > > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fkitten&data=05%7C01%7CSteve.Syfuhs%40microsoft.com%7Cc040a6ca1ad04071f1dd08daee72f9d3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638084474844233641%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=T3VaRLxx3uVRCwjSx%2BW%2BhVTLfDuOoDK1qp1vaxhMNG8%3D&reserved=0
- [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Paul Miller (NT)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Ken Hornstein
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata