IETF Logo Mail Archive

Re: [openpgp] OpenPGP encryption block modes

"brian m. carlson" <sandals@crustytoothpaste.net> Wed, 10 August 2022 21:50 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C346C14F742 for <openpgp@ietfa.amsl.com>; Wed, 10 Aug 2022 14:50:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9qQOZ_UQ7bx for <openpgp@ietfa.amsl.com>; Wed, 10 Aug 2022 14:50:06 -0700 (PDT)
Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [IPv6:2600:3c04::f03c:92ff:fe9e:c6d8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55456C157908 for <openpgp@ietf.org>; Wed, 10 Aug 2022 14:50:06 -0700 (PDT)
Received: from tapette.crustytoothpaste.net (ipagstaticip-2d4b363b-56b8-9979-23b8-fd468af1db4c.sdsl.bell.ca [142.112.6.242]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id 955CD5A26C for <openpgp@ietf.org>; Wed, 10 Aug 2022 21:50:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1660168204; bh=vLoO70uMkXtCjSNCsdWU8c8W/r0UAVEo9IJz6OUXS6o=; h=Date:From:To:Subject:References:Content-Type:Content-Disposition: In-Reply-To:From:Reply-To:Subject:Date:To:CC:Resent-Date: Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=FIQh67a+mhfwwuUCCz4JoQMMtlcY57s7A5dVsBb/kDq6LhM4Ctj4KxmRKpLDAbsmM gcF7b1vTDiKNarVTJYPqgtGYYPjqAF+aXY+mSe6NPr5exRt9gm7Ja1SmR0hJu6XOH0 FhnuLGp7NlYE9SaO0k6+LGcwz7uldgQPp6Hz7PLmlz0kkW40svHYnjXbrnq+ZMtCsQ SpKSHyxY3Hval5PkWaUa28NXFH51jfXehUquMc6+8v+bVgjmd3Yw+8G8ozMlgCOYd3 gHSMlCHTYOU47ZKgv+G1lirVVRavXDYuDy0tPhE4j1GdZ7LDgaq5MgvyCV9xr/aZpJ tf07EZPbtL+qBkJjYkIhbonJqVXLpRZLEQe9nGeuraRMnbIiNmTtEqs4u+ypiM39h2 tMK71mdt5oX53KHl36UaxL3fvpPkTDtzeCmFLOVfRe5tecFSj5Mmu7P6RaDK2IdWRE 24Mx1Sn85pfnIYjuFE9rOXtbpRXy0UJhE0wqaqqRS/LnLzeP1do
Date: Wed, 10 Aug 2022 21:50:03 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <YvQoC1g5rzKCfCVp@tapette.crustytoothpaste.net>
References: <YuFc+w02FiRQmHcg@watt.59.ca> <87bktajjvq.fsf@thinkbox> <YuKpxp0/Dy1DfC19@watt.59.ca> <875yjhjg2c.fsf@thinkbox> <87r124m64c.fsf@wheatstone.g10code.de> <YulX9jI1+wOCwLJq@ohm.59.ca> <Q6EUpbQm0e5f1OiU-77Old9p9FXyLCaFZ8pMm7PTt8VTLQJaXRQzWIDSwc3db6yI-56imyOaTNdt9TC8Zrm1jN_kPKxFYH4OqEu6o-Wfquo=@protonmail.com> <YuvlHdLz0Sfle7Ot@ohm.59.ca> <87a68ji1bv.fsf@wheatstone.g10code.de> <YvPGY8ArcKD7Hr1p@watt.59.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Oq4zPFdv61Z7q64a"
Content-Disposition: inline
In-Reply-To: <YvPGY8ArcKD7Hr1p@watt.59.ca>
User-Agent: Mutt/2.2.6 (2022-06-05)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/e1SSzpG6cLhhYSalg1fFF73FTXI>
Subject: Re: [openpgp] OpenPGP encryption block modes
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 21:50:11 -0000

On 2022-08-10 at 14:53:23, Bruce Walzer wrote:
> On Fri, Aug 05, 2022 at 09:41:56AM +0200, Werner Koch wrote:
> > On Thu,  4 Aug 2022 10:26, Bruce Walzer said:
> > 
> > > I thought you guys were mostly doing messaging. Why would performance
> > > be important in that environment? Speaking of messaging, wouldn't you
> > 
> > A major use case is to encrypt bulk data in the range for hundreds of
> > GiByte and often up to several TiByte.  And that is not only for
> > backups.  It matters whether it takes 6 hours or 45 minutes.
> 
> That raises a question for me as I hold the position that OpenPGP does
> not need any more block cipher modes. I had the impression that
> SEIP-MDC (OCFB-MDC) would be relatively fast as the slow part is
> SHA1. SHA1 is one of the faster cryptographic hashes and is hardware
> accelerated on common platforms. I assumed that the slowness was
> because no one had ever bothered to optimize things. Is this true?

SHA-1 is no longer considered secure, and thus we can't assume that a
SHA-1 hash of the data intrinsically indicates that it hasn't been
changed.

Some OpenPGP implementations are trying to avoid known attacks by using
the same collision-detecting SHA-1 implementation that Git uses, which
is extraordinarily slow and can't be accelerated due to the need for
intermediate products.  (This is why moving to Git's new SHA-256
repositories will tend to improve performance somewhat on modern
machines, as well as improving security.)

Even if we ignored all that and pretended like SHA-1 was still secure,
AES-256-GCM can encrypt 16 KiB chunks at over 6 GB/s on my machine, and
AES-256-OCB can encrypt similar chunks at over 8 GB/s, whereas a
hardware-accelerated SHA-1 tops out at 2 GB/s and AES-256-CFB only runs
at 866 MB/s.  This is a laptop with a Core i7-1280P and 32 GB of RAM
using OpenSSL 3.0.5[0], which tends to have excellent performance.

Note that this is for AES-256: AES-128-OCB operates at over 11 GB/s if
you don't need the additional security of a 256-bit key.  This is almost
certainly faster than your disk and possibly even your network.

Using an AEAD is, in this case, both much, much faster (probably over 10
times considering the SHA-1/CFB composition) and substantially more
secure.  There are really no downsides.

[0] openssl speed -evp {sha1|aes-256-ocb|aes-256-cfb|aes-256-gcm}
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

v2.23.0 | Report a Bug | By Email