IETF Logo Mail Archive

Re: Hardware acceleration and packet number encryption

Christian Huitema <huitema@huitema.net> Mon, 26 March 2018 03:18 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14518124207 for <quic@ietfa.amsl.com>; Sun, 25 Mar 2018 20:18:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOO3cO0SgwyQ for <quic@ietfa.amsl.com>; Sun, 25 Mar 2018 20:18:11 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A06011200A0 for <quic@ietf.org>; Sun, 25 Mar 2018 20:18:11 -0700 (PDT)
Received: from xsmtp02.mail2web.com ([168.144.250.215]) by mx6.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1f0Ie8-0005YQ-Pl for quic@ietf.org; Mon, 26 Mar 2018 05:18:09 +0200
Received: from [10.5.2.13] (helo=xmail03.myhosting.com) by xsmtp02.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1f0Ie6-00060Q-4F for quic@ietf.org; Sun, 25 Mar 2018 23:18:06 -0400
Received: (qmail 5385 invoked from network); 26 Mar 2018 03:18:03 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.56.42.57]) (envelope-sender <huitema@huitema.net>) by xmail03.myhosting.com (qmail-ldap-1.03) with ESMTPA for <manasi.deval@intel.com>; 26 Mar 2018 03:18:03 -0000
To: Eric Rescorla <ekr@rtfm.com>, Kazuho Oku <kazuhooku@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>, "Deval, Manasi" <manasi.deval@intel.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com> <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Message-ID: <63e207ac-6f61-a911-7a8c-63ee231ea6c2@huitema.net>
Date: Sun, 25 Mar 2018 20:18:01 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------044FF71ED4788A09F15622D0"
Content-Language: en-US
Subject: Re: Hardware acceleration and packet number encryption
X-Originating-IP: 168.144.250.215
X-AntiSpamCloud-Domain: xsmtpout.mail2web.com
X-AntiSpamCloud-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-AntiSpamCloud-Outgoing-Class: unsure
X-AntiSpamCloud-Outgoing-Evidence: Combined (0.21)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5j5hssEEcMOJEDWSzeAjIFR602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO37pNwwF1lRXh5rzvPzo9Jts1ujulqUFmMITHM77eiViY5SR4YeqcSmVB0XR/bHgKc7i TvJ2/ZGzVWB9scFAaCdIFaUvXN+CI+RGy3Me16pBVJlvs1RB82smE8/eMfkvDvvRa7MR4hgRIg8N 1QlY4G7x1YBTEs55LirRLgpsvCFtid7SQi4NE/job5y2wAN3GZxznd8NXwc/vKJtfZaXo5QAJAfA 9MMVcQ9WVjD1q+Rbd9IPG/DQ2p+GU04sTuYFs91jhnM/Mbva2XLV/LIEzaKyLm0zESXAkIAT8ZKA DvsGI5uh86ZVnyOrYkLMWyEaRt9fxN2oReTDHAyOynaY0ClKHhIXfDbmhz3DoftFSAfVIRFsicyJ MEhQFtD8PLoiniWmsFByBoXAuCZEyg59LM/9rUJrEbVA84BZVscMTXpbwyPr6Ygmqufq1En6WLLn AIHlTa0FG0ij7AOlTYklM4LpK2rB8v64rTyvMJx377FzJzLEze0q+TbvUJyM2b1O9c5c5gQ/tACA IuVs896947KU2yw6z85L3UyCdO+oQ3S7VPd90DA1c/ZLOZZo7XGPVfWv8HL1YL3Zn8TE/e4IMjT6 4dZYZAAUgQSn0n4YsmwRRGxQZAxG+4f1XAVNzQl2yuggKW28pboyZCmKkHUYXakXbZIsYCr+gAoG BCU8ceid01MYMisIIjbm9GlUe04QUntB4/4Pbrz2QtFuyl+Sh6dFwOZmPeQdOCsWer2luIDmfqb5 R4VemuUI6bcEARsm0H3NNoW1ZvdERgvndX6lJvSNZy58uobCIkCdwVDO83SGTnM2K/9iKCD9v589 nVS3hWSdEOMftBjsWb6BDQzjSsHUIomTnJwT4ky6b7E7Hukt2Ge4B8NG0VKlrY+34Zmj+F/tjlrZ UvGhhjiSam0tWhQxL7hrJSk60SF3F6RYOYr2
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/tkuOuHttpi1xmpv_fR3jxbco5Ds>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 03:18:14 -0000


On 3/24/2018 9:25 AM, Eric Rescorla wrote:
> I think it would probably be useful to ask this question in two pieces.
>
> ...
> Finally, we could use a more exotic solution like AERO. The draft has
> details, but roughly speaking, it's like an extension of AEAD which
> also takes the sequence number as an input on encryption and then
> returns it on decryption, so you don't need a separate sequence number
> or nonce. Obviously this is pretty much designed for our purpose, but
> it's a relatively new construction and so I don't know how much
> analysis there has been of its security. In addition, while it's based
> on AES-CTR, I don't know what the performance is like in hardware.

I am not so sure about that. The AERO construct relies on a "Wide
Pseudo-Random Permutation" (WPRP). To quote from the AERO draft, "A WPRP
has the property that each bit of its output is a pseudorandom function
of each bit of both of its inputs, for both encryption and decryption."
With that property, the sequence number can be appended to the plain
text; all bits of output will depend on it, in the same way that all
bits of the AEAD input depend on the nonce. But, to quote from the draft
again, "A WPRP is necessarily an offline algorithm", and "offline
algorithms cannot be implemented in a hardware pipeline, such as those
used in high-speed network encryption (for protocols such as 802.1AE)."

The AERO draft goes on explaining that the WPRP requirement might be
relaxed with a different construct,  "Online Pseudo-Random Permutation"
(OPRP), in which "the ith block of output depends only on the first i
blocks of input, for all values of i." But that construct is not
actually developed in the draft.

-- Christian Huitema

but that alternative construct is not fully explained.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email